Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Vundo infection
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 01-01-2008, 10:44 AM   #1 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: WindowsXP Home SP2


Vundo infection
Hi,
i've been infected by trojan.vundo,and i can't get rid of this.I've done many times remooval through Vundofix,but always come back!!

Deckard's System Scanner v20071014.68
Run by user on 2007-12-31 11:05:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
17: 2007-12-31 09:05:23 UTC - RP230 - Deckard's System Scanner Restore Point
16: 2007-12-30 23:06:22 UTC - RP229 - Before uninstall Wyzo 0.5.3
15: 2007-12-30 23:03:24 UTC - RP228 - Before uninstall ΠΒΐΛΦ±²¥
14: 2007-12-29 23:11:37 UTC - RP227 - Installed ESET Smart Security
13: 2007-12-29 23:11:17 UTC - RP226 - Removed ESET NOD32 Antivirus


-- First Restore Point --
1: 2007-12-26 22:40:45 UTC - RP214 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 4.21 GiB (less than 15%) free.


-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:41 πμ, on 31/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\user.USER-64C1C071A7\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.flash.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\geedd.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B59E3DB-256D-48A1-81B9-5750102ED242} - (no file)
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {23CF6D25-9808-44BA-B07E-2E6B1D82FCAF} - (no file)
O2 - BHO: (no name) - {2EF04B7F-3DF8-4E6C-B261-A673FF113544} - C:\WINDOWS\system32\vturr.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\PlayerIE\playerIE.dll
O2 - BHO: (no name) - {5F40ED11-E1AD-4B8D-B7F6-B1FCE81087CD} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {61AAA5A2-47AD-4039-A20D-D9A57EBE4745} - C:\WINDOWS\system32\geedd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {736A0364-29FD-4B82-8C51-93534857C0D1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {822B1885-D350-45EC-933E-955BB0879C00} - C:\WINDOWS\system32\ssqpm.dll (file missing)
O2 - BHO: (no name) - {89AF1DCA-6355-4465-94B0-E3D49FD2896B} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9CE01F99-8511-4A5B-939D-B75884CF2DC8} - C:\WINDOWS\system32\vtutu.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D0E836B8-89B4-4139-A895-9B6D6B80FEAC} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Terminal Manager] rmbsvc.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with Rapget - C:\Documents and Settings\user.USER-64C1C071A7\My Documents\rapget140\rapget.htm
O8 - Extra context menu item: E&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Αποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Α&ποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Πρόχειρες σελίδες HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Έξυπνη επιλογή HP - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} (ULiveCtrl Control) - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.flash.gr/inc/activex/mgaxctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8290E1B-1969-4467-98E5-F5CD44C2156C}: NameServer = 194.219.227.2,193.92.150.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 11343 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfsync03 (StarForce Protection Synchronization Driver (version 3.x)) - c:\windows\system32\drivers\sfsync03.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - c:\windows\system32\drivers\sfsync04.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 ACEDRV07 - c:\windows\system32\drivers\acedrv07.sys <Not Verified; Protect Software GmbH; >
R3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 npkcrypt - c:\program files\lineage ii\system\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 FirebirdGuardianDefaultInstance (Firebird Guardian - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s <Not Verified; The Firebird Project; Firebird SQL Server>
R2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune>
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>
R3 FirebirdServerDefaultInstance (Firebird Server - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s <Not Verified; The Firebird Project; Firebird SQL Server>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-31 10:50:00 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2007-11-30 and 2007-12-31 -----------------------------

2007-12-31 10:39:11 0 d-------- C:\ie-spyad_zo
2007-12-31 10:31:32 0 d-------- C:\Program Files\SpywareBlaster
2007-12-31 01:26:22 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-31 01:26:19 0 d-------- C:\WINDOWS\LastGood
2007-12-30 23:14:04 1 --a------ C:\WINDOWS\system32\geedd.exe
2007-12-30 23:14:03 319 --ahs---- C:\WINDOWS\system32\ddeeg.ini2
2007-12-30 23:13:26 344576 --a------ C:\WINDOWS\system32\geedd.dll
2007-12-30 18:28:15 0 d-------- C:\Program Files\Spyware Doctor
2007-12-30 18:28:15 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\PC Tools
2007-12-30 18:23:33 1 --a------ C:\WINDOWS\system32\geebc.exe
2007-12-30 18:02:08 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\URSoft
2007-12-30 18:01:58 0 d-------- C:\Program Files\Your Uninstaller 2008
2007-12-30 17:23:53 39424 -----n--- C:\WINDOWS\system32\urqrqrs.dll
2007-12-30 16:52:53 1 --a------ C:\WINDOWS\system32\mljjj.exe
2007-12-30 13:48:26 0 d-------- C:\Program Files\Trend Micro
2007-12-30 13:39:08 1 --a------ C:\WINDOWS\system32\ssqpm.exe
2007-12-30 01:13:46 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\ESET
2007-12-30 00:40:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 00:40:31 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\PrevxCSI
2007-12-29 23:26:59 1 --a------ C:\WINDOWS\system32\jkhhi.exe
2007-12-29 15:18:16 1 --a------ C:\WINDOWS\system32\ssttr.exe
2007-12-29 02:46:55 0 d-------- C:\VundoFix Backups
2007-12-29 02:08:15 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-29 02:08:15 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-29 02:08:15 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-12-29 02:08:15 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-29 02:08:15 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-29 02:08:15 0 d-------- C:\Documents and Settings\Administrator\My Documents <MYDOCU~1>
2007-12-29 02:08:15 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-12-29 02:08:15 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-29 02:02:27 0 d-------- C:\WINDOWS\setup.pss
2007-12-29 01:28:35 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-12-29 01:28:35 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-12-29 01:28:35 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2007-12-29 01:28:35 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-12-29 01:28:35 75264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-12-29 01:28:26 0 d-------- C:\Program Files\Trojan Remover
2007-12-29 01:15:53 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-29 01:15:53 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-29 01:15:53 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-12-29 01:15:53 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-29 01:15:53 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-29 01:15:52 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-28 22:53:02 0 d-------- C:\Program Files\Error Repair Professional
2007-12-27 20:16:55 0 d-------- C:\Program Files\PowerISO
2007-12-27 00:44:08 348160 --a------ C:\WINDOWS\system32\jkklj.exe
2007-12-25 23:42:28 0 d-------- C:\Program Files\Alive Directory Uno
2007-12-25 23:42:21 0 d-------- C:\Documents and Settings\All Users\Application Data\{9D32D139-042F-4A88-9A6F-7EA2D5953D61}
2007-12-25 23:42:12 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Seven Zip
2007-12-18 23:50:59 0 d-------- C:\Program Files\Terminal Reality
2007-12-18 23:49:28 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Ahead
2007-12-18 23:39:35 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Shared
2007-12-18 23:39:35 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Incomplete
2007-12-17 22:44:15 101376 --a------ C:\WINDOWS\system32\drivers\ACEDRV07.sys <Not Verified; Protect Software GmbH; >
2007-12-17 22:42:26 0 d-------- C:\Program Files\Ski Alpin Racing 2007
2007-12-17 22:11:01 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Creative
2007-12-16 16:45:26 0 d-------- C:\Documents and Settings\user\My Documents <MYDOCU~1>
2007-12-16 16:34:55 1202 --a------ C:\WINDOWS\mozver.dat
2007-12-15 13:05:33 0 d-------- C:\Program Files\ASIO4ALL v2
2007-12-15 13:04:46 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\WinRAR
2007-12-15 12:36:35 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\MixMeister Technology
2007-12-14 22:43:11 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Google
2007-12-14 18:03:45 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Contacts
2007-12-14 18:01:18 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\LimeWire
2007-12-14 13:29:47 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Adobe
2007-12-13 22:53:51 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\.wyzo
2007-12-13 22:53:33 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Macromedia
2007-12-13 22:53:32 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\HPAppData
2007-12-13 22:50:35 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Windows Desktop Search
2007-12-13 22:50:25 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Real
2007-12-13 22:39:36 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Identities
2007-12-13 22:39:04 0 d--h----- C:\Documents and Settings\user.USER-64C1C071A7\Templates
2007-12-13 22:39:04 0 dr------- C:\Documents and Settings\user.USER-64C1C071A7\Start Menu
2007-12-13 22:39:04 0 dr-h----- C:\Documents and Settings\user.USER-64C1C071A7\SendTo
2007-12-13 22:39:04 0 dr-h----- C:\Documents and Settings\user.USER-64C1C071A7\Recent
2007-12-13 22:39:04 0 d--h----- C:\Documents and Settings\user.USER-64C1C071A7\PrintHood
2007-12-13 22:39:04 0 d--h----- C:\Documents and Settings\user.USER-64C1C071A7\NetHood
2007-12-13 22:39:04 0 dr------- C:\Documents and Settings\user.USER-64C1C071A7\My Documents <MYDOCU~1>
2007-12-13 22:39:04 0 d--h----- C:\Documents and Settings\user.USER-64C1C071A7\Local Settings
2007-12-13 22:39:04 0 dr------- C:\Documents and Settings\user.USER-64C1C071A7\Favorites
2007-12-13 22:39:04 0 d-------- C:\Documents and Settings\user.USER-64C1C071A7\Desktop
2007-12-13 22:39:04 0 d--hs---- C:\Documents and Settings\user.USER-64C1C071A7\Cookies
2007-12-13 22:39:04 0 d--h----- C:\Documents and Settings\user.USER-64C1C071A7\Application Data
2007-12-13 22:39:03 8126464 --ah----- C:\Documents and Settings\user.USER-64C1C071A7\NTUSER.DAT
2007-12-13 22:34:54 0 d-------- C:\Program Files\Stardock
2007-12-13 22:00:16 0 d-------- C:\Documents and Settings\user\Application Data\MixMeister Technology
2007-12-13 21:58:53 0 d-------- C:\Program Files\MixMeister Fusion + Video
2007-12-11 17:01:15 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-11 17:01:10 0 d-------- C:\Documents and Settings\user\Application Data\Wyzo
2007-12-11 17:01:10 0 d-------- C:\Documents and Settings\user\Application Data\.wyzo
2007-12-08 12:37:42 301568 --a------ C:\WINDOWS\system32\jldoia.exe
2007-12-07 12:38:13 0 d-------- C:\Program Files\Online TV Player 3
2007-12-05 22:34:09 0 d-------- C:\Documents and Settings\user\Application Data\MessengerSkinner
2007-12-05 22:34:07 0 d-------- C:\Program Files\MessengerSkinner
2007-12-05 18:18:58 0 d-------- C:\Program Files\uTorrent
2007-12-05 18:18:57 0 d-------- C:\Documents and Settings\user\Application Data\uTorrent
2007-12-03 22:24:47 0 d-------- C:\WINDOWS\RegisteredPackages
2007-12-01 00:19:54 0 d-------- C:\Program Files\Windows Live Favorites


-- Find3M Report ---------------------------------------------------------------

2007-12-31 06:31:45 0 d-------- C:\Program Files\Windows Live Toolbar
2007-12-31 06:12:57 0 d-------- C:\Program Files\SpeederXP
2007-12-30 19:10:37 0 d-------- C:\Program Files\QuickTime
2007-12-13 19:53:22 0 d-------- C:\Program Files\LimeWire
2007-12-07 12:31:38 0 d-------- C:\Program Files\myTV
2007-12-01 12:17:33 0 d-------- C:\Program Files\Windows Live
2007-11-27 23:08:25 0 d-------- C:\Program Files\KVS2007
2007-11-23 22:28:41 0 d-------- C:\Program Files\Macrogaming
2007-11-08 12:56:02 0 d-------- C:\Program Files\MSECache
2007-10-23 17:49:42 587776 --a------ C:\WINDOWS\WLXPGSS.SCR <Not Verified; Microsoft Corporation; Συλλογή φωτογραφιών του Windows Live>
2007-10-21 19:24:22 159744 --a------ C:\WINDOWS\system32\UCLiveCore.dll <Not Verified; ????????????; UC Live Core ?????>
2007-10-21 18:33:58 241664 --a------ C:\WINDOWS\system32\UCLiveSocket.dll <Not Verified; ????????????; UCliveSocket>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
02/03/2007 03:52 ££ 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
02/03/2007 03:52 ££ 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B59E3DB-256D-48A1-81B9-5750102ED242}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23CF6D25-9808-44BA-B07E-2E6B1D82FCAF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EF04B7F-3DF8-4E6C-B261-A673FF113544}]
C:\WINDOWS\system32\vturr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F40ED11-E1AD-4B8D-B7F6-B1FCE81087CD}]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61AAA5A2-47AD-4039-A20D-D9A57EBE4745}]
30/12/2007 11:13 ££ 344576 --a------ C:\WINDOWS\system32\geedd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{736A0364-29FD-4B82-8C51-93534857C0D1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{822B1885-D350-45EC-933E-955BB0879C00}]
C:\WINDOWS\system32\ssqpm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AF1DCA-6355-4465-94B0-E3D49FD2896B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9CE01F99-8511-4A5B-939D-B75884CF2DC8}]
C:\WINDOWS\system32\vtutu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0E836B8-89B4-4139-A895-9B6D6B80FEAC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [03/05/2005 01:38 ££ C:\WINDOWS\system32\P17.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [28/06/2007 11:43 ££]
"nwiz"="nwiz.exe" [28/06/2007 11:43 ££ C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [28/06/2007 11:43 ££]
"Windows Terminal Manager"="rmbsvc.exe" []
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [30/12/2007 11:14 ££]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [05/02/2007 02:39 ££ 294400]
"{3AEC3373-C823-4853-97D4-5B5549833BC3}"= C:\WINDOWS\system32\urqrqrs.dll [30/12/2007 05:24 ££ 39424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 23/09/2007 10:10 §£ 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geedd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08

*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK



-- Hosts -----------------------------------------------------------------------

192.168.1.2 sapdev


-- End of Deckard's System Scanner: finished at 2007-12-31 11:16:11 ------------


Thanks in advance
OS:XP Home SP2
Attached Files
File Type: txt extra.txt (40.3 KB, 0 views)
andreasm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 01-03-2008, 03:07 AM   #2 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: Vundo infection
Hi, welcome to TSF!

Download combofix.exe
  • Save it to your desktop.
  • Double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note:
  • In case you already used Combofix previously, please delete the version you are having and redownload it again, because Combofix is being updated everyday.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • Do not post the ComboFix-quarantined-files.txt - unless I ask you to.
  • If your Antivirus software is detecting combofix or a part of it as a virus, please choose to ignore it as Antivirus products cannot determine the good/bad use of some softwares embedded in combofix.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-03-2008, 05:32 AM   #3 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: WindowsXP Home SP2


Re: Vundo infection
Hi,

here are the results:

ComboFix 08-01-03.4 - user 2008-01-03 13:32:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1253.1.1033.18.1559 [GMT 2:00]
Running from: C:\Documents and Settings\user.USER-64C1C071A7\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\Application Data\inst.exe
C:\Documents and Settings\user\Application Data\MessengerSkinner
C:\Documents and Settings\user\Application Data\MessengerSkinner\Userdata\languages_v2.xml
C:\Documents and Settings\user\Application Data\MessengerSkinner\Userdata\pack1.cab
C:\Documents and Settings\user\Local Settings\Application Data\cdlabjenvc.dat
C:\Documents and Settings\user\Local Settings\Application Data\cdlabjenvc.exe
C:\Documents and Settings\user\Local Settings\Application Data\cdlabjenvc_nav.dat
C:\Documents and Settings\user\Local Settings\Application Data\cdlabjenvc_navps.dat
C:\Documents and Settings\user\Start Menu\Programs\MessengerSkinner
C:\Documents and Settings\user\Start Menu\Programs\MessengerSkinner\MessengerSkinner.lnk
C:\Documents and Settings\user\Start Menu\Programs\MessengerSkinner\Privacy Policy.lnk
C:\Documents and Settings\user\Start Menu\Programs\MessengerSkinner\Terms and conditions.lnk
C:\Documents and Settings\user\Start Menu\Programs\MessengerSkinner\Website.lnk
C:\Program Files\messengerskinner
C:\Program Files\messengerskinner\download\defaultPack.cab
C:\Program Files\messengerskinner\MessengerSkinner.exe
C:\Program Files\messengerskinner\MessengerSkinnerDll.dll
C:\Program Files\messengerskinner\Privacy Policy.url
C:\Program Files\messengerskinner\resources\appconfig.xml
C:\Program Files\messengerskinner\resources\btn.rgn
C:\Program Files\messengerskinner\resources\btnBnr.rgn
C:\Program Files\messengerskinner\resources\btnIn.rgn
C:\Program Files\messengerskinner\resources\btnInNormal.bmp
C:\Program Files\messengerskinner\resources\btnInOver.bmp
C:\Program Files\messengerskinner\resources\btnNormal.bmp
C:\Program Files\messengerskinner\resources\btnNormal.gif
C:\Program Files\messengerskinner\resources\btnNormalBnr.bmp
C:\Program Files\messengerskinner\resources\btnNormalBnr.gif
C:\Program Files\messengerskinner\resources\btnOver.bmp
C:\Program Files\messengerskinner\resources\btnOver.gif
C:\Program Files\messengerskinner\resources\btnOverBnr.bmp
C:\Program Files\messengerskinner\resources\btnOverBnr.gif
C:\Program Files\messengerskinner\resources\languages_v2.xml
C:\Program Files\messengerskinner\Terms and conditions.url
C:\Program Files\messengerskinner\uninst.exe
C:\Program Files\messengerskinner\Website.url
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\drivers\sfsync03.sys
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\urqrqrs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC03
-------\sfsync03


((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-03 13:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 11:04 . 2007-12-31 11:04 <DIR> d-------- C:\Deckard
2007-12-31 10:39 . 2007-12-31 10:39 <DIR> d-------- C:\ie-spyad_zo
2007-12-31 10:31 . 2008-01-02 11:53 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-31 01:26 . 2007-12-31 06:51 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-31 01:26 . 2007-12-31 03:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-31 01:26 . 2007-12-31 03:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-31 01:26 . 2007-12-31 03:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-30 23:14 . 2007-12-30 23:14 1 --a------ C:\WINDOWS\system32\geedd.exe
2007-12-30 18:28 . 2008-01-03 13:12 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-30 18:28 . 2007-12-30 18:28 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\PC Tools
2007-12-30 18:28 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-30 18:28 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-30 18:28 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-30 18:28 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-30 18:27 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-30 18:23 . 2007-12-30 18:23 1 --a------ C:\WINDOWS\system32\geebc.exe
2007-12-30 18:02 . 2007-12-30 18:02 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\URSoft
2007-12-30 18:01 . 2007-12-31 06:31 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2007-12-30 16:52 . 2007-12-30 16:52 1 --a------ C:\WINDOWS\system32\mljjj.exe
2007-12-30 13:48 . 2007-12-30 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 13:39 . 2007-12-30 13:39 1 --a------ C:\WINDOWS\system32\ssqpm.exe
2007-12-30 01:13 . 2007-12-30 01:13 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\ESET
2007-12-30 00:40 . 2007-12-30 00:41 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\PrevxCSI
2007-12-30 00:40 . 2007-12-30 00:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-29 23:26 . 2007-12-29 23:26 1 --a------ C:\WINDOWS\system32\jkhhi.exe
2007-12-29 15:18 . 2007-12-29 15:18 1 --a------ C:\WINDOWS\system32\ssttr.exe
2007-12-29 02:46 . 2007-12-30 23:46 <DIR> d-------- C:\VundoFix Backups
2007-12-29 01:28 . 2007-12-30 01:09 <DIR> d-------- C:\Program Files\Trojan Remover
2007-12-29 01:28 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-12-29 01:28 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-12-29 01:28 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-12-29 01:28 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-12-29 01:28 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-12-28 22:53 . 2007-12-30 01:09 <DIR> d-------- C:\Program Files\Error Repair Professional
2007-12-27 20:16 . 2007-12-29 02:01 <DIR> d-------- C:\Program Files\PowerISO
2007-12-27 13:30 . 2007-12-27 14:43 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-27 00:44 . 2007-12-27 00:44 348,160 --a------ C:\WINDOWS\system32\jkklj.exe
2007-12-27 00:40 . 2007-12-29 02:27 1,087 --a------ C:\WINDOWS\system32\jlkkj.ini.ren
2007-12-27 00:40 . 2007-12-29 02:27 973 --a------ C:\WINDOWS\system32\jlkkj.ini2.ren
2007-12-25 23:42 . 2007-12-25 23:53 <DIR> d-------- C:\Program Files\Alive Directory Uno
2007-12-25 23:42 . 2007-12-25 23:42 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Seven Zip
2007-12-25 23:42 . 2007-12-25 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{9D32D139-042F-4A88-9A6F-7EA2D5953D61}
2007-12-22 01:27 . 2001-09-24 17:43 232 --a------ C:\WINDOWS\XIIIHooligans.ini
2007-12-21 08:21 . 2007-12-21 08:21 71,176 --a------ C:\WINDOWS\system32\drivers\epfw.sys
2007-12-21 08:21 . 2007-12-21 08:21 53,768 --a------ C:\WINDOWS\system32\drivers\epfwtdi.sys
2007-12-21 08:21 . 2007-12-21 08:21 30,728 --a------ C:\WINDOWS\system32\drivers\epfwndis.sys
2007-12-18 23:50 . 2007-12-18 23:50 <DIR> d-------- C:\Program Files\Terminal Reality
2007-12-18 23:49 . 2007-12-18 23:49 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Ahead
2007-12-18 23:39 . 2007-12-30 21:47 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Shared
2007-12-18 23:39 . 2007-12-30 21:50 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Incomplete
2007-12-17 22:44 . 2007-12-17 22:44 101,376 --a------ C:\WINDOWS\system32\drivers\ACEDRV07.sys
2007-12-17 22:42 . 2007-12-17 22:47 <DIR> d-------- C:\Program Files\Ski Alpin Racing 2007
2007-12-17 22:11 . 2007-12-17 22:11 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Creative
2007-12-16 16:34 . 2007-12-16 16:34 1,202 --a------ C:\WINDOWS\mozver.dat
2007-12-15 13:05 . 2007-12-15 13:05 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2007-12-15 12:36 . 2007-12-15 12:36 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\MixMeister Technology
2007-12-14 18:03 . 2007-12-15 16:03 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Contacts
2007-12-14 18:01 . 2007-12-26 21:29 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\LimeWire
2007-12-13 22:53 . 2007-12-14 00:21 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\HPAppData
2007-12-13 22:53 . 2007-12-13 22:53 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\.wyzo
2007-12-13 22:53 . 2007-12-13 22:53 0 --a------ C:\WINDOWS\WB.ini
2007-12-13 22:50 . 2007-12-13 22:50 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Windows Desktop Search
2007-12-13 22:34 . 2007-12-13 22:34 <DIR> d-------- C:\Program Files\Stardock
2007-12-13 22:34 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2007-12-13 22:00 . 2007-12-13 22:00 <DIR> d-------- C:\Documents and Settings\user\Application Data\MixMeister Technology
2007-12-13 21:58 . 2007-12-13 22:00 <DIR> d-------- C:\Program Files\MixMeister Fusion + Video
2007-12-11 17:01 . 2007-12-11 17:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\Wyzo
2007-12-11 17:01 . 2007-12-11 17:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\.wyzo
2007-12-11 17:01 . 2007-12-11 17:01 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-08 12:37 . 2007-12-08 12:37 301,568 --a------ C:\WINDOWS\system32\jldoia.exe
2007-12-07 12:38 . 2007-12-07 12:39 <DIR> d-------- C:\Program Files\Online TV Player 3
2007-12-07 12:38 . 2007-12-07 12:38 10 --a------ C:\WINDOWS\system32\810429tv3-test.jun
2007-12-05 18:18 . 2007-12-05 18:18 <DIR> d-------- C:\Program Files\uTorrent
2007-12-05 18:18 . 2007-12-11 19:38 <DIR> d-------- C:\Documents and Settings\user\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 04:31 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-31 04:12 --------- d-----w C:\Program Files\SpeederXP
2007-12-30 22:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-30 18:59 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2007-12-30 17:10 --------- d-----w C:\Program Files\QuickTime
2007-12-29 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eset
2007-12-21 06:20 30,216 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 06:19 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-12-13 20:53 --------- d-----w C:\Documents and Settings\user.USER-64C1C071A7\Application Data\.wyzo
2007-12-13 17:53 --------- d-----w C:\Program Files\LimeWire
2007-12-12 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-11 15:01 --------- d-----w C:\Documents and Settings\user\Application Data\.wyzo
2007-12-07 10:31 --------- d-----w C:\Program Files\myTV
2007-12-01 10:17 --------- d-----w C:\Program Files\Windows Live
2007-11-30 22:19 --------- d-----w C:\Program Files\Windows Live Favorites
2007-11-27 21:08 --------- d-----w C:\Program Files\KVS2007
2007-11-23 20:28 --------- d-----w C:\Program Files\Macrogaming
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 10:56 --------- d-----w C:\Program Files\MSECache
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 15:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-23 15:49 587,776 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-10-21 17:24 159,744 ----a-w C:\WINDOWS\system32\UCLiveCore.dll
2007-10-21 16:33 241,664 ----a-w C:\WINDOWS\system32\UCLiveSocket.dll
2007-09-13 17:19 2,933 ----a-w C:\Program Files\rapget.ini
2007-09-13 17:19 17 ----a-w C:\Program Files\links.dat
2007-08-25 18:03 47,360 ----a-w C:\Documents and Settings\user\Application Data\pcouffin.sys
2007-08-04 09:21 912 ----a-w C:\Documents and Settings\user\Bindings.DAT
2007-06-24 17:30 9,787 ----a-w C:\Program Files\readme_en.txt
2007-06-24 17:30 11,075 ----a-w C:\Program Files\readme_rus.txt
2007-06-24 17:29 171,008 ----a-w C:\Program Files\rapget.exe
2007-06-23 15:32 79,432 ----a-w C:\Program Files\base.rob
.
Code:
----a-w           143,360 2008-01-03 11:40:06  C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU   .exe
----a-w           519,680 2008-01-02 23:53:41  C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU  .exe
----a-w         1,410,304 2007-12-27 12:44:12  C:\Program Files\Eset\ESET NOD32 Antivirus\egui  .exe
----a-w           132,496 2007-12-27 12:43:49  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           103,712 2007-12-27 12:43:51  C:\Program Files\Macrogaming\SweetIM\SweetIM .exe
----a-w            31,016 2007-12-27 11:30:40  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w           286,720 2007-12-30 10:32:41  C:\Program Files\QuickTime\qttask .exe
----a-w         1,065,800 2007-12-30 17:08:58  C:\Program Files\Spyware Doctor\SDTrayApp .exe
----a-w            15,360 2007-12-27 12:43:51  C:\WINDOWS\system32\ctfmon .exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 15:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 15:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EF04B7F-3DF8-4E6C-B261-A673FF113544}]
C:\WINDOWS\system32\vturr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F40ED11-E1AD-4B8D-B7F6-B1FCE81087CD}]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{822B1885-D350-45EC-933E-955BB0879C00}]
C:\WINDOWS\system32\ssqpm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83948A01-2AE4-449B-84B7-F5E761C07990}]
C:\WINDOWS\system32\geedd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9CE01F99-8511-4A5B-939D-B75884CF2DC8}]
C:\WINDOWS\system32\vtutu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [ ]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU .exe" [2008-01-03 13:40 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 13:38 64512 C:\WINDOWS\system32\P17.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"Windows Terminal Manager"="rmbsvc.exe" []
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2008-01-03 13:40 1]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 14:00 388608]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-09-17 16:26:25]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]
"{3AEC3373-C823-4853-97D4-5B5549833BC3}"= C:\WINDOWS\system32\urqrqrs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-09-23 10:10 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 14:46]
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys [2007-12-21 08:20]
R1 epfwtdi;epfwtdi;C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2007-12-21 08:21]
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys [2007-12-21 08:19]
R2 ekrn;Eset Service;"C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe" [2007-12-21 08:21]
R2 epfw;epfw;C:\WINDOWS\system32\DRIVERS\epfw.sys [2007-12-21 08:21]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-07-14 00:05]
R3 Epfwndis;Eset Personal Firewall;C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2007-12-21 08:21]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-07-14 00:05]
S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe" [2007-12-21 08:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 11:50:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 14:02:37
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 14:08:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 12:08:35
.
2007-12-12 22:43:29 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:57 μμ, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU .exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.flash.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {2EF04B7F-3DF8-4E6C-B261-A673FF113544} - C:\WINDOWS\system32\vturr.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\PlayerIE\playerIE.dll
O2 - BHO: (no name) - {5F40ED11-E1AD-4B8D-B7F6-B1FCE81087CD} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {822B1885-D350-45EC-933E-955BB0879C00} - C:\WINDOWS\system32\ssqpm.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9CE01F99-8511-4A5B-939D-B75884CF2DC8} - C:\WINDOWS\system32\vtutu.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Terminal Manager] rmbsvc.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU .exe" /SCB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with Rapget - C:\Documents and Settings\user.USER-64C1C071A7\My Documents\rapget140\rapget.htm
O8 - Extra context menu item: E&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Αποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Α&ποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Πρόχειρες σελίδες HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Έξυπνη επιλογή HP - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} (ULiveCtrl Control) - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.flash.gr/inc/activex/mgaxctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8290E1B-1969-4467-98E5-F5CD44C2156C}: NameServer = 194.219.227.2,193.92.150.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 10562 bytes


Many thanks
andreasm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-03-2008, 06:35 AM   #4 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: Vundo infection
Hi,

*A few optionals that I would recommend be uninstalled.

uTorrent
LimeWire
This program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

Delete the following folders if you uninstalled their corresponding programs:

C:\Documents and Settings\user.USER-64C1C071A7\Shared <<Limewire related
C:\Documents and Settings\user.USER-64C1C071A7\Incomplete <<Limewire related
C:\Documents and Settings\user.USER-64C1C071A7\Application Data\LimeWire
C:\Documents and Settings\user\Application Data\LimeWire
C:\Documents and Settings\user\Application Data\uTorrent
C:\Program Files\LimeWire
C:\Program Files\uTorrent
_____

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_____

Combofix Deletions
  • Open notepad.
  • Copy and paste the text inside the code box below to notepad
Code:
Killall::

File::
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\geedd.exe
C:\WINDOWS\system32\geebc.exe
C:\WINDOWS\system32\mljjj.exe
C:\WINDOWS\system32\ssqpm.exe
C:\WINDOWS\system32\jkhhi.exe
C:\WINDOWS\system32\ssttr.exe
C:\WINDOWS\system32\jkklj.exe
C:\WINDOWS\system32\jlkkj.ini.ren
C:\WINDOWS\system32\jlkkj.ini2.ren
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU  .exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe

Folder::
C:\VundoFix Backups

RENV::
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU   .exe
C:\Program Files\Eset\ESET NOD32 Antivirus\egui  .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Macrogaming\SweetIM\SweetIM .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\WINDOWS\system32\ctfmon .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EF04B7F-3DF8-4E6C-B261-A673FF113544}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F40ED11-E1AD-4B8D-B7F6-B1FCE81087CD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{822B1885-D350-45EC-933E-955BB0879C00}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83948A01-2AE4-449B-84B7-F5E761C07990}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9CE01F99-8511-4A5B-939D-B75884CF2DC8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Terminal Manager"=-
"combofix"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3AEC3373-C823-4853-97D4-5B5549833BC3}"=-

Filelook::
C:\WINDOWS\system32\jldoia.exe
  • Save and Name it as "CFScript"
  • Drag and drop CFScript.txt to your copy of combofix.
  • You can take a look at the image below if you're unsure on how to do it.
  • Combofix wil restart your machine then it will produce a log afterwards.
  • Please post the contents of that log along with a fresh HijackThis log.
______

Please do an online scan with Kaspersky WebScanner

Warning: If you had kaspersky online scanner installed before 10-5-2007, please uninstall it as kaspersky released a new version. Previous version had a serious flaw which could result in a buffer overflow.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

On your next reply, please include a
  • Fresh HijackThis log.
  • kaspersky scan log
  • combofix log
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Last edited by Angelfire777; 01-03-2008 at 06:36 AM.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-03-2008, 01:24 PM   #5 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: WindowsXP Home SP2


Re: Vundo infection
ComboFix 08-01-03.4 - user 2008-01-03 1636.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1253.1.1033.18.1596 [GMT 2:00]
Running from: C:\Documents and Settings\user.USER-64C1C071A7\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user.USER-64C1C071A7\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU .exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\geebc.exe
C:\WINDOWS\system32\geedd.exe
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\jkhhi.exe
C:\WINDOWS\system32\jkklj.exe
C:\WINDOWS\system32\jlkkj.ini.ren
C:\WINDOWS\system32\jlkkj.ini2.ren
C:\WINDOWS\system32\mljjj.exe
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\ssqpm.exe
C:\WINDOWS\system32\ssttr.exe
C:\WINDOWS\system32\Uninstall.ico
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU .exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\cbeeg.ini.bad
C:\VundoFix Backups\cbeeg.ini2.bad
C:\VundoFix Backups\fccabxu.dll.bad
C:\VundoFix Backups\fcccdab.dll.bad
C:\VundoFix Backups\fccdddd.dll.bad
C:\VundoFix Backups\geebc.dll.bad
C:\VundoFix Backups\ihhkj.ini.bad
C:\VundoFix Backups\ihhkj.ini2.bad
C:\VundoFix Backups\jjjlm.ini.bad
C:\VundoFix Backups\jjjlm.ini2.bad
C:\VundoFix Backups\jkhhi.dll.bad
C:\VundoFix Backups\jkklj.dll.bad
C:\VundoFix Backups\jlkkj.ini.bad
C:\VundoFix Backups\jlkkj.ini2.bad
C:\VundoFix Backups\mljjj.dll.bad
C:\VundoFix Backups\mpqss.ini.bad
C:\VundoFix Backups\mpqss.ini2.bad
C:\VundoFix Backups\rqrqnoo.dll.bad
C:\VundoFix Backups\rrutv.ini.bad
C:\VundoFix Backups\rrutv.ini2.bad
C:\VundoFix Backups\rttss.ini.bad
C:\VundoFix Backups\rttss.ini2.bad
C:\VundoFix Backups\ssqnkif.dll.bad
C:\VundoFix Backups\ssqpm.dll.bad
C:\VundoFix Backups\ssttr.dll.bad
C:\VundoFix Backups\urqnkkl.dll.bad
C:\VundoFix Backups\urqrqrs.dll.bad
C:\VundoFix Backups\ututv.ini.bad
C:\VundoFix Backups\ututv.ini2.bad
C:\VundoFix Backups\vturr.dll.bad
C:\VundoFix Backups\vtutu.dll.bad
C:\WINDOWS\system32\geebc.exe
C:\WINDOWS\system32\geedd.exe
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\jkhhi.exe
C:\WINDOWS\system32\jkklj.exe
C:\WINDOWS\system32\jlkkj.ini.ren
C:\WINDOWS\system32\jlkkj.ini2.ren
C:\WINDOWS\system32\mljjj.exe
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\ssqpm.exe
C:\WINDOWS\system32\ssttr.exe
C:\WINDOWS\system32\Uninstall.ico

.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-03 13:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 11:04 . 2007-12-31 11:04 <DIR> d-------- C:\Deckard
2007-12-31 10:39 . 2007-12-31 10:39 <DIR> d-------- C:\ie-spyad_zo
2007-12-31 10:31 . 2008-01-02 11:53 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-31 01:26 . 2007-12-31 06:51 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-30 18:28 . 2008-01-03 16:10 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-30 18:28 . 2007-12-30 18:28 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\PC Tools
2007-12-30 18:28 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-30 18:28 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-30 18:28 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-30 18:28 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-30 18:27 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-30 18:02 . 2007-12-30 18:02 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\URSoft
2007-12-30 18:01 . 2007-12-31 06:31 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2007-12-30 13:48 . 2007-12-30 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 01:13 . 2007-12-30 01:13 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\ESET
2007-12-30 00:40 . 2007-12-30 00:41 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\PrevxCSI
2007-12-30 00:40 . 2007-12-30 00:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-29 01:28 . 2007-12-30 01:09 <DIR> d-------- C:\Program Files\Trojan Remover
2007-12-29 01:28 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-12-29 01:28 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-12-29 01:28 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-12-29 01:28 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-12-29 01:28 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-12-28 22:53 . 2007-12-30 01:09 <DIR> d-------- C:\Program Files\Error Repair Professional
2007-12-27 20:16 . 2007-12-29 02:01 <DIR> d-------- C:\Program Files\PowerISO
2007-12-27 13:30 . 2007-12-27 14:43 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-25 23:42 . 2007-12-25 23:53 <DIR> d-------- C:\Program Files\Alive Directory Uno
2007-12-25 23:42 . 2007-12-25 23:42 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Seven Zip
2007-12-25 23:42 . 2007-12-25 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{9D32D139-042F-4A88-9A6F-7EA2D5953D61}
2007-12-22 01:27 . 2001-09-24 17:43 232 --a------ C:\WINDOWS\XIIIHooligans.ini
2007-12-21 08:21 . 2007-12-21 08:21 71,176 --a------ C:\WINDOWS\system32\drivers\epfw.sys
2007-12-21 08:21 . 2007-12-21 08:21 53,768 --a------ C:\WINDOWS\system32\drivers\epfwtdi.sys
2007-12-21 08:21 . 2007-12-21 08:21 30,728 --a------ C:\WINDOWS\system32\drivers\epfwndis.sys
2007-12-18 23:50 . 2007-12-18 23:50 <DIR> d-------- C:\Program Files\Terminal Reality
2007-12-18 23:49 . 2007-12-18 23:49 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Ahead
2007-12-18 23:39 . 2007-12-30 21:47 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Shared
2007-12-18 23:39 . 2007-12-30 21:50 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Incomplete
2007-12-17 22:44 . 2007-12-17 22:44 101,376 --a------ C:\WINDOWS\system32\drivers\ACEDRV07.sys
2007-12-17 22:42 . 2007-12-17 22:47 <DIR> d-------- C:\Program Files\Ski Alpin Racing 2007
2007-12-17 22:11 . 2007-12-17 22:11 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Creative
2007-12-16 16:34 . 2007-12-16 16:34 1,202 --a------ C:\WINDOWS\mozver.dat
2007-12-15 13:05 . 2007-12-15 13:05 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2007-12-15 12:36 . 2007-12-15 12:36 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\MixMeister Technology
2007-12-14 18:03 . 2007-12-15 16:03 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Contacts
2007-12-13 22:53 . 2007-12-14 00:21 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\HPAppData
2007-12-13 22:53 . 2007-12-13 22:53 0 --a------ C:\WINDOWS\WB.ini
2007-12-13 22:50 . 2007-12-13 22:50 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Windows Desktop Search
2007-12-13 22:34 . 2007-12-13 22:34 <DIR> d-------- C:\Program Files\Stardock
2007-12-13 22:34 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2007-12-13 22:00 . 2007-12-13 22:00 <DIR> d-------- C:\Documents and Settings\user\Application Data\MixMeister Technology
2007-12-13 21:58 . 2007-12-13 22:00 <DIR> d-------- C:\Program Files\MixMeister Fusion + Video
2007-12-11 17:01 . 2007-12-11 17:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\Wyzo
2007-12-11 17:01 . 2007-12-11 17:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\.wyzo
2007-12-11 17:01 . 2007-12-11 17:01 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-08 12:37 . 2007-12-08 12:37 301,568 --a------ C:\WINDOWS\system32\jldoia.exe
2007-12-07 12:38 . 2007-12-07 12:39 <DIR> d-------- C:\Program Files\Online TV Player 3
2007-12-07 12:38 . 2007-12-07 12:38 10 --a------ C:\WINDOWS\system32\810429tv3-test.jun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 13:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 04:31 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-31 04:12 --------- d-----w C:\Program Files\SpeederXP
2007-12-30 17:10 --------- d-----w C:\Program Files\QuickTime
2007-12-29 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eset
2007-12-21 06:20 30,216 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 06:19 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-12-12 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-11 15:01 --------- d-----w C:\Documents and Settings\user\Application Data\.wyzo
2007-12-07 10:31 --------- d-----w C:\Program Files\myTV
2007-12-01 10:17 --------- d-----w C:\Program Files\Windows Live
2007-11-30 22:19 --------- d-----w C:\Program Files\Windows Live Favorites
2007-11-27 21:08 --------- d-----w C:\Program Files\KVS2007
2007-11-23 20:28 --------- d-----w C:\Program Files\Macrogaming
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 10:56 --------- d-----w C:\Program Files\MSECache
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 15:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-23 15:49 587,776 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-10-21 17:24 159,744 ----a-w C:\WINDOWS\system32\UCLiveCore.dll
2007-10-21 16:33 241,664 ----a-w C:\WINDOWS\system32\UCLiveSocket.dll
2007-09-13 17:19 2,933 ----a-w C:\Program Files\rapget.ini
2007-09-13 17:19 17 ----a-w C:\Program Files\links.dat
2007-08-25 18:03 47,360 ----a-w C:\Documents and Settings\user\Application Data\pcouffin.sys
2007-08-04 09:21 912 ----a-w C:\Documents and Settings\user\Bindings.DAT
2007-06-24 17:30 9,787 ----a-w C:\Program Files\readme_en.txt
2007-06-24 17:30 11,075 ----a-w C:\Program Files\readme_rus.txt
2007-06-24 17:29 171,008 ----a-w C:\Program Files\rapget.exe
2007-06-23 15:32 79,432 ----a-w C:\Program Files\base.rob
.
Code:
----a-w           143,360 2008-01-03 11:40:06  C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU   .exe
----a-w         1,410,304 2007-12-27 12:44:12  C:\Program Files\Eset\ESET NOD32 Antivirus\egui  .exe
----a-w           132,496 2007-12-27 12:43:49  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           103,712 2007-12-27 12:43:51  C:\Program Files\Macrogaming\SweetIM\SweetIM .exe
----a-w            31,016 2007-12-27 11:30:40  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w           286,720 2007-12-30 10:32:41  C:\Program Files\QuickTime\qttask .exe
----a-w         1,065,800 2007-12-30 17:08:58  C:\Program Files\Spyware Doctor\SDTrayApp .exe
----a-w            15,360 2007-12-27 12:43:51  C:\WINDOWS\system32\ctfmon .exe

((((((((((((((((((((((((((((( snapshot@2008-01-03_14.08.09.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-03 14:13:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 15:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 15:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [ ]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU .exe" [2008-01-03 13:40 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 13:38 64512 C:\WINDOWS\system32\P17.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-09-23 10:10 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 14:46]
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys [2007-12-21 08:20]
R1 epfwtdi;epfwtdi;C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2007-12-21 08:21]
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys [2007-12-21 08:19]
R2 ekrn;Eset Service;"C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe" [2007-12-21 08:21]
R2 epfw;epfw;C:\WINDOWS\system32\DRIVERS\epfw.sys [2007-12-21 08:21]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-07-14 00:05]
R3 Epfwndis;Eset Personal Firewall;C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2007-12-21 08:21]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-07-14 00:05]
S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe" [2007-12-21 08:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 13:50:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 16:13:27
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 16:20:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 14:20:52
ComboFix2.txt 2008-01-03 12:08:40
.
2007-12-12 22:43:29 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:17 μμ, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU .exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.flash.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\PlayerIE\playerIE.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU .exe" /SCB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with Rapget - C:\Documents and Settings\user.USER-64C1C071A7\My Documents\rapget140\rapget.htm
O8 - Extra context menu item: E&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Αποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Α&ποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Πρόχειρες σελίδες HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Έξυπνη επιλογή HP - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} (ULiveCtrl Control) - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.flash.gr/inc/activex/mgaxctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8290E1B-1969-4467-98E5-F5CD44C2156C}: NameServer = 194.219.227.2,193.92.150.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 10221 bytes



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 03, 2008 10:20:02 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/01/2008
Kaspersky Anti-Virus database records: 502025
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
I:\

Scan Statistics:
Total number of scanned objects: 286768
Number of viruses found: 12
Number of infected objects: 73
Number of suspicious objects: 0
Duration of the scan process: 05:39:36

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\24.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\48.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\52.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\55.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\60.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\80.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image112.zip/image112-newfacebook.JPG-scannedby-MSN.com Infected: Backdoor.Win32.IRCBot.axh skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image112.zip ZIP: infected - 1 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image113.zip/image113.jpg-www.photoshare.com Infected: Backdoor.Win32.IRCBot.axh skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image113.zip ZIP: infected - 1 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image117.zip/image117.jpg-www.picshare.com Infected: Backdoor.Win32.IRCBot.axn skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image117.zip ZIP: infected - 1 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image119.zip/image119.jpg-www.picshare.com Infected: Backdoor.Win32.IRCBot.axn skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image119.zip ZIP: infected - 1 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image127.zip/image127.JPG-www.picshare.com Infected: Backdoor.Win32.IRCBot.axy skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image127.zip ZIP: infected - 1 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image134.zip/image134.jpg-www.photoshare.com Infected: Backdoor.Win32.IRCBot.axn skipped
C:\Deckard\System Scanner\backup\DOCUME~1\USER~1.USE\LOCALS~1\Temp\image134.zip ZIP: infected - 1 skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\NSIS_install_msgskinner.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\NSIS_install_msgskinner.exe/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\NSIS_install_msgskinner.exe NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Eset\ESET Smart Security\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Eset\ESET Smart Security\Logs\epfwlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Eset\ESET Smart Security\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Eset\ESET Smart Security\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.8.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.8.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy54.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_2f4.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Incomplete\Preview-T-3045692-01 Track 1.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\user\Incomplete\Preview-T-3200824-07 Track 7.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\user\Incomplete\T-3045692-01 Track 1.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\user\Shared\07 Track 7.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\user\Shared\ta plokamia toy karxaria.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped
C:\Documents and Settings\user\Shared\ta plokamia toy karxaria.zip ZIP: infected - 1 skipped
C:\Documents and Settings\user\Shared\Top of Charts - 2004.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\user\Shared\TOTALLY HIP TRACK.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\user.USER-64C1C071A7\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user.USER-64C1C071A7\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user.USER-64C1C071A7\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user.USER-64C1C071A7\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user.USER-64C1C071A7\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\user.USER-64C1C071A7\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user.USER-64C1C071A7\My Documents\32 bit\New NΟD Addon\User & Pass v8.0.exe Infected: Trojan.Win32.Autoit.bg skipped
C:\Documents and Settings\user.USER-64C1C071A7\My Documents\Games\all games\15 Teleia paixnidakia!\souvlaki_game.exe Infected: Trojan.Win32.FlashZero.d skipped
C:\Documents and Settings\user.USER-64C1C071A7\My Documents\My Games\15_teleia_paixnidakia_\15 Teleia paixnidakia!\souvlaki_game.exe Infected: Trojan.Win32.FlashZero.d skipped
C:\Documents and Settings\user.USER-64C1C071A7\My Documents\NOD_3.0.566_32 bit\New NΟD Addon\User & Pass v8.0.exe Infected: Trojan.Win32.Autoit.bg skipped
C:\Documents and Settings\user.USER-64C1C071A7\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user.USER-64C1C071A7\NtUser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20080103-161241.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\MessengerSkinner\uninst.exe.vir/stream/data0005 Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\QooBox\Quarantine\C\Program Files\MessengerSkinner\uninst.exe.vir/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\QooBox\Quarantine\C\Program Files\MessengerSkinner\uninst.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\VundoFix Backups\fccabxu.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\QooBox\Quarantine\C\VundoFix Backups\fcccdab.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\QooBox\Quarantine\C\VundoFix Backups\fccdddd.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\QooBox\Quarantine\C\VundoFix Backups\geebc.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\C\VundoFix Backups\jkhhi.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\C\VundoFix Backups\jkklj.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\C\VundoFix Backups\mljjj.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\C\VundoFix Backups\rqrqnoo.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ssqnkif.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ssqpm.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ssttr.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\C\VundoFix Backups\urqnkkl.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\QooBox\Quarantine\C\VundoFix Backups\urqrqrs.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\QooBox\Quarantine\C\VundoFix Backups\vturr.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\C\VundoFix Backups\vtutu.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\urqrqrs.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\QooBox\Quarantine\catchme2008-01-03_134759.95.zip/geedd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\catchme2008-01-03_134759.95.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056510.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056525.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056542.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056543.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056544.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056545.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056546.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056551.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056553.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056555.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056556.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056557.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056560.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0056566.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP222\A0058552.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP224\A0058946.dll Infected: Trojan-Downloader.Win32.Small.hje skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP225\A0060226.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP225\A0060228.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP225\A0060276.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP225\A0060375.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP225\A0060389.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060584.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060585.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060645.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060646.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060695.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060702.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060706.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060770.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060795.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060804.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060808.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060809.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060810.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP227\A0060811.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP229\A0062979.exe Infected: Trojan-Downloader.Win32.Delf.dnv skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP230\A0063059.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP230\A0064059.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP231\A0064118.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP232\A0064130.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP233\A0064137.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP233\A0064138.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP233\A0064141.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dhx skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP233\A0064145.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP233\A0064145.exe/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP233\A0064145.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP233\A0064155.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP234\A0064233.exe Object is locked skipped
C:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP234\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{3A02FCE0-B494-45EB-AEC0-26F95BB5378B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_c8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\download\nd_av_30566_32_bit\32 bit\New NΟD Addon\User & Pass v8.0.exe Infected: Trojan.Win32.Autoit.bg skipped
F:\download\nd_av_30566_32_bit.rar/32 bit/New NÏD Addon/User & Pass v8.0.exe Infected: Trojan.Win32.Autoit.bg skipped
F:\download\nd_av_30566_32_bit.rar RAR: infected - 1 skipped
F:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP234\change.log Object is locked skipped
F:\WINDOWS\Temp\hsperfdata_SYSTEM\1308 Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\_restore{6F3D63AB-30DE-48C0-AAD9-C955956DD32D}\RP234\change.log Object is locked skipped

Scan process completed.


Thnks
andreasm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-05-2008, 01:05 AM   #6 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: Vundo infection
Hi,

Using cracks for nod32 is a big no no. It is probably where you got your infection. If you can't afford to buy/purchase nod32, I suggest you use a free one:

You can use one of these:


» Avast!
» AVG AntiVirus
» AntiVir


Combofix had a bug so we need to do this..

Download RenV.exe

Open NOTEPAD and copy/paste the text in the codebox below into it:

Code:
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU   .exe
C:\Program Files\Eset\ESET NOD32 Antivirus\egui  .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Macrogaming\SweetIM\SweetIM .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\Windows\system32\ctfmon .exe
Save this as Log.txt



Refering to the picture above, drag Log.txt into RenV.exe

When finished, it shall produce a new log for you. Post that log in your next reply.
_______

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type clean.bat in the File name and save it to your desktop.

Code:
@echo off 
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in ( 
"C:\Documents and Settings\user\Incomplete\Preview-T-3045692-01 Track 1.wma"
"C:\Documents and Settings\user\Incomplete\Preview-T-3200824-07 Track 7.wma"
"C:\Documents and Settings\user\Incomplete\T-3045692-01 Track 1.wma"
"C:\Documents and Settings\user\Shared\07 Track 7.wma"
"C:\Documents and Settings\user\Shared\ta plokamia toy karxaria.zip"
"C:\Documents and Settings\user\Shared\Top of Charts - 2004.wma"
"C:\Documents and Settings\user\Shared\TOTALLY HIP TRACK.wma"
"C:\Documents and Settings\user.USER-64C1C071A7\My Documents\32 bit\New N?D Addon\User & Pass v8.0.exe"
"C:\Documents and Settings\user.USER-64C1C071A7\My Documents\Games\all games\15 Teleia paixnidakia!\souvlaki_game.exe"
"C:\Documents and Settings\user.USER-64C1C071A7\My Documents\My Games\15_teleia_paixnidakia_\15 Teleia paixnidakia!\souvlaki_game.exe"
"C:\Documents and Settings\user.USER-64C1C071A7\My Documents\NOD_3.0.566_32 bit\New N?D Addon\User & Pass v8.0.exe"
"F:\download\nd_av_30566_32_bit\32 bit\New N?D Addon\User & Pass v8.0.exe"
"F:\download\nd_av_30566_32_bit.rar"
) do ( 
attrib -s -h -r %%g 
del /s/f/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

if exist "%temp%\log.txt" (start notepad "%temp%\log.txt" 
) else echo.Deleted Successfully! 
echo. 
pause 
del %0
Locate clean.bat on your Desktop and double-click on it. Tell me what it says.
_______

*Re-run Combofix and post the log


*I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

C:\WINDOWS\system32\jldoia.exe

Then click submit.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE and do the same as above.
_______

On your next reply, please include a
  • Fresh HijackThis log.
  • jotti scan results
  • combofix log
  • clean.bat results
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Last edited by Angelfire777; 01-05-2008 at 01:07 AM.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-05-2008, 06:09 AM   #7 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: WindowsXP Home SP2


Re: Vundo infection
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:52 μμ, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.flash.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\PlayerIE\playerIE.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU .exe" /SCB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with Rapget - C:\Documents and Settings\user.USER-64C1C071A7\My Documents\rapget140\rapget.htm
O8 - Extra context menu item: E&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Αποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Α&ποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Πρόχειρες σελίδες HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Έξυπνη επιλογή HP - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} (ULiveCtrl Control) - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.flash.gr/inc/activex/mgaxctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8290E1B-1969-4467-98E5-F5CD44C2156C}: NameServer = 194.219.227.2,193.92.150.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 10081 bytes

Scanner results
Scan taken on 05 Jan 2008 12:55:58 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

ComboFix 08-01-03.4 - user 2008-01-05 14:50:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1253.1.1033.18.1515 [GMT 2:00]
Running from: C:\Documents and Settings\user.USER-64C1C071A7\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 14:40 . 2007-12-27 14:43 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-05 14:40 . 2007-12-27 14:43 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-03 16:27 . 2008-01-03 16:27 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-03 16:27 . 2008-01-03 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-03 13:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 11:04 . 2007-12-31 11:04 <DIR> d-------- C:\Deckard
2007-12-31 10:39 . 2007-12-31 10:39 <DIR> d-------- C:\ie-spyad_zo
2007-12-31 10:31 . 2008-01-02 11:53 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-31 01:26 . 2007-12-31 06:51 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-30 18:28 . 2008-01-05 14:40 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-30 18:28 . 2007-12-30 18:28 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\PC Tools
2007-12-30 18:28 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-30 18:28 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-30 18:28 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-30 18:28 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-30 18:27 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-30 18:02 . 2007-12-30 18:02 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\URSoft
2007-12-30 18:01 . 2007-12-31 06:31 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2007-12-30 13:48 . 2007-12-30 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 01:13 . 2007-12-30 01:13 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\ESET
2007-12-30 00:40 . 2007-12-30 00:41 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\PrevxCSI
2007-12-30 00:40 . 2007-12-30 00:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-29 01:28 . 2007-12-30 01:09 <DIR> d-------- C:\Program Files\Trojan Remover
2007-12-29 01:28 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-12-29 01:28 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-12-29 01:28 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-12-29 01:28 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-12-29 01:28 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-12-28 22:53 . 2007-12-30 01:09 <DIR> d-------- C:\Program Files\Error Repair Professional
2007-12-27 20:16 . 2007-12-29 02:01 <DIR> d-------- C:\Program Files\PowerISO
2007-12-25 23:42 . 2007-12-25 23:53 <DIR> d-------- C:\Program Files\Alive Directory Uno
2007-12-25 23:42 . 2007-12-25 23:42 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Seven Zip
2007-12-25 23:42 . 2007-12-25 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{9D32D139-042F-4A88-9A6F-7EA2D5953D61}
2007-12-22 01:27 . 2001-09-24 17:43 232 --a------ C:\WINDOWS\XIIIHooligans.ini
2007-12-21 08:21 . 2007-12-21 08:21 71,176 --a------ C:\WINDOWS\system32\drivers\epfw.sys
2007-12-21 08:21 . 2007-12-21 08:21 53,768 --a------ C:\WINDOWS\system32\drivers\epfwtdi.sys
2007-12-18 23:50 . 2007-12-18 23:50 <DIR> d-------- C:\Program Files\Terminal Reality
2007-12-18 23:49 . 2007-12-18 23:49 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Ahead
2007-12-18 23:39 . 2007-12-30 21:47 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Shared
2007-12-18 23:39 . 2007-12-30 21:50 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Incomplete
2007-12-17 22:44 . 2007-12-17 22:44 101,376 --a------ C:\WINDOWS\system32\drivers\ACEDRV07.sys
2007-12-17 22:42 . 2007-12-17 22:47 <DIR> d-------- C:\Program Files\Ski Alpin Racing 2007
2007-12-17 22:11 . 2007-12-17 22:11 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Creative
2007-12-16 16:34 . 2007-12-16 16:34 1,202 --a------ C:\WINDOWS\mozver.dat
2007-12-15 13:05 . 2007-12-15 13:05 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2007-12-15 12:36 . 2007-12-15 12:36 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\MixMeister Technology
2007-12-14 18:03 . 2007-12-15 16:03 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Contacts
2007-12-13 22:53 . 2007-12-14 00:21 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\HPAppData
2007-12-13 22:53 . 2007-12-13 22:53 0 --a------ C:\WINDOWS\WB.ini
2007-12-13 22:50 . 2007-12-13 22:50 <DIR> d-------- C:\Documents and Settings\user.USER-64C1C071A7\Application Data\Windows Desktop Search
2007-12-13 22:34 . 2007-12-13 22:34 <DIR> d-------- C:\Program Files\Stardock
2007-12-13 22:34 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2007-12-13 22:00 . 2007-12-13 22:00 <DIR> d-------- C:\Documents and Settings\user\Application Data\MixMeister Technology
2007-12-13 21:58 . 2007-12-13 22:00 <DIR> d-------- C:\Program Files\MixMeister Fusion + Video
2007-12-11 17:01 . 2007-12-11 17:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\Wyzo
2007-12-11 17:01 . 2007-12-11 17:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\.wyzo
2007-12-11 17:01 . 2007-12-11 17:01 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-08 12:37 . 2007-12-08 12:37 301,568 --a------ C:\WINDOWS\system32\jldoia.exe
2007-12-07 12:38 . 2007-12-07 12:39 <DIR> d-------- C:\Program Files\Online TV Player 3
2007-12-07 12:38 . 2007-12-07 12:38 10 --a------ C:\WINDOWS\system32\810429tv3-test.jun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 12:40 --------- d-----w C:\Program Files\QuickTime
2008-01-05 12:30 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 04:31 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-31 04:12 --------- d-----w C:\Program Files\SpeederXP
2007-12-29 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eset
2007-12-21 06:20 30,216 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 06:19 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-12-12 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-11 15:01 --------- d-----w C:\Documents and Settings\user\Application Data\.wyzo
2007-12-07 10:31 --------- d-----w C:\Program Files\myTV
2007-12-01 10:17 --------- d-----w C:\Program Files\Windows Live
2007-11-30 22:19 --------- d-----w C:\Program Files\Windows Live Favorites
2007-11-27 21:08 --------- d-----w C:\Program Files\KVS2007
2007-11-23 20:28 --------- d-----w C:\Program Files\Macrogaming
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 10:56 --------- d-----w C:\Program Files\MSECache
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 15:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-23 15:49 587,776 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-10-21 17:24 159,744 ----a-w C:\WINDOWS\system32\UCLiveCore.dll
2007-10-21 16:33 241,664 ----a-w C:\WINDOWS\system32\UCLiveSocket.dll
2007-09-13 17:19 2,933 ----a-w C:\Program Files\rapget.ini
2007-09-13 17:19 17 ----a-w C:\Program Files\links.dat
2007-08-25 18:03 47,360 ----a-w C:\Documents and Settings\user\Application Data\pcouffin.sys
2007-08-04 09:21 912 ----a-w C:\Documents and Settings\user\Bindings.DAT
2007-06-24 17:30 9,787 ----a-w C:\Program Files\readme_en.txt
2007-06-24 17:30 11,075 ----a-w C:\Program Files\readme_rus.txt
2007-06-24 17:29 171,008 ----a-w C:\Program Files\rapget.exe
2007-06-23 15:32 79,432 ----a-w C:\Program Files\base.rob
.

((((((((((((((((((((((((((((( snapshot@2008-01-03_14.08.09.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-01-05 12:36:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 15:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 15:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-27 14:43 15360]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 13:38 64512 C:\WINDOWS\system32\P17.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-12-30 19:08 1065800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-09-23 10:10 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 14:46]
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys [2007-12-21 08:20]
R1 epfwtdi;epfwtdi;C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2007-12-21 08:21]
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys [2007-12-21 08:19]
R2 epfw;epfw;C:\WINDOWS\system32\DRIVERS\epfw.sys [2007-12-21 08:21]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-07-14 00:05]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-07-14 00:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

.
Contents of the 'Scheduled Tasks' folder
"2008-01-05 12:50:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 14:53:09
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 14:54:05
ComboFix-quarantined-files.txt 2008-01-05 12:54:01
ComboFix2.txt 2008-01-03 14:20:57
ComboFix3.txt 2008-01-03 12:08:40
.
2007-12-12 22:43:29 --- E O F ---


Code:
Ran on ‘˜™ 05/01/2008 - 14:40:32,12

 Entries:                0  (0)
 Directories:            0  Files:             0
 Bytes:                  0  Blocks:            0

Please note before i start anything i unistall NOD 32.Also after clean.bat the comment was <Successfully deleted>.

Awaiting your instructions.
andreasm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-05-2008, 06:17 AM   #8 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: Vundo infection
Hi,

Please grab one of those free ones immediately and install ONE of them.. Going online without an Antivirus is hazardous and in just a few minutes of surfing, you could get infected immediately..

Delete these Nod32 leftovers..

C:\Documents and Settings\user.USER-64C1C071A7\Application Data\ESET
C:\Documents and Settings\All Users\Application Data\Eset

empty your recycle bin.


How is your machine running?
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-05-2008, 10:33 AM   #9 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: WindowsXP Home SP2


Re: Vundo infection
Hi,

I took avast antivirus and i've already install it.Also an icon of Spyware Doctor is active in the down right corner of my screen.
My machine is runing very well as fare as i can see the last 48 hours.

Am I free of virus??

What protection do you suggest???
andreasm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-05-2008, 05:04 PM   #10 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: Vundo infection
Your logs are clean so, it seems to be that way.

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.


Here are some free programs I recommend that could help you improve your pc's security.

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» Comodo
» Kerio

MVPS Hosts File
~You can download it from here
~I highly recommend this hosts file. You can learn more about this here

Install SpyWare Blaster
~You can download it from here
~You can read the tutorial on how to use Spyware Blaster here

Install WinPatrol
~You can download it from here
~You can get some information about how WinPatrol works here

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Happy safe surfing!

Note: Please reply to this thread one last time so I could close it.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-06-2008, 10:03 AM   #11 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: WindowsXP Home SP2


Re: Vundo infection
Hi,

Many thanks for your great help.
andreasm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 08:13 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85