Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help @ Removing: AdWare.Win32.Virtumonde.tro

Started by Redgerasimos , May 26 2008 06:29 AM

Please log in to reply

#16
Redgerasimos

Posted 26 May 2008 - 03:25 PM

Member

Topic Starter
Member
25 posts

+ 2008-03-01 12:58:43 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-05-26 21:06:18 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_9e4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-07 15:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Storage RW"="C:\Program Files\USB Storage RW\DskWatch.exe" [2004-12-23 15:00 208896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-07-31 18:03 35416]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"VGAUtil"="C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [2007-01-02 10:22 544768]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 16:39 461584]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-25 15:52 185896]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\SOUNDMAN.EXE]
"CnxDslTaskBar"="C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe" [2005-03-16 14:14 278528]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-05-20 17:11 1817600]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-11-08 19:28 155751]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-07 15:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\WC3Banlist\\WC3Banlist.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 17:49]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-12-15 23:21]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-05-20 17:11]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R3 CnxEtP;ZTE ZXDSL852 Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2005-06-03 13:28]
R3 CnxEtU;ZTE ZXDSL852 Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2005-06-03 13:28]
R3 CnxTgNL;ZTE ZXDSL852 LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgNL.sys [2005-06-03 13:28]
R3 dskwatch;Disk Watch Filter;C:\WINDOWS\system32\drivers\dskwatch.sys [2004-11-30 11:19]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 15:00]
R3 GPCIDrv;GPCIDrv;C:\WINDOWS\GPCIDrv.sys [2008-05-27 00:04]
R3 GVTDrv;GVTDrv;C:\WINDOWS\system32\Drivers\GVTDrv.sys [2008-05-27 00:04]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-03 00:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 21:02:19 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 00:03:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6172\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-05-27 0:13:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 21:12:56
ComboFix2.txt 2008-05-26 14:34:28
ComboFix3.txt 2008-05-26 14:21:07

21 Κατάλογοι 55,864,238,080 διαθέσιμα byte
24 ‰˜«αΆ¦š¦ 55,831,777,280 › ˜Ÿβ© £˜ byte

769 --- E O F --- 2008-05-26 19:56:23

#17
Redgerasimos

Posted 26 May 2008 - 03:26 PM

Member

Topic Starter
Member
25 posts

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:19 πμ, on 27/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\USB Storage RW\DskWatch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Opera\Opera.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aokerkyra.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [USB Storage RW] C:\Program Files\USB Storage RW\DskWatch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe" "ZTE\ZXDSL852"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1192450896109
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1192450882062
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab55579.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 11947 bytes

#18
kahdah

Posted 26 May 2008 - 03:39 PM

GeekU Teacher

Retired Staff
15,822 posts

Please update Kaspersky internet Security and run a full scan with it let it delete\Quarantine anything it finds and let me know if it finds something it cannot delete.
====================
After that please update your Java:
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:

Download the latest version of Java Runtime Environment (JRE) 6 update 6.
Choose Free Java Download
Close any programs you may have running and follow the prompts.

After that

Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.

========
Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Also delete\uninstall anything that we used that is left over.
=========
After that your log is clean.

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Ad-Aware-Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

#19
Redgerasimos

Posted 27 May 2008 - 06:26 AM

Member

Topic Starter
Member
25 posts

Still virtumonde is in my PC...Oh man im very upset with this virus trojan whatever is it...I think u did your job well and it got removed but i think by the time i open internet explorer i got infected again...Now my PC runs even slower and oh man i cant believe this...The funny thing is that i think this specific one redirects me to a greek website which says buy protection ant virus bla bla bla...Every anti virus program i tried failed to remove this...I know which are exactly the virus files and where they are but i simply cant manually remove them coz PC says they are already used by an other program or application or whatever...I think if i could find that application and close it from task manager i would be able to delete this files...What do you suggest Kahdah m8? Should we contact through MSN to make this easier...?

Edited by kahdah, 27 May 2008 - 07:10 AM.
language

#20
kahdah

Posted 27 May 2008 - 06:38 AM

GeekU Teacher

Retired Staff
15,822 posts

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#21
Redgerasimos

Posted 27 May 2008 - 07:39 AM

Member

Topic Starter
Member
25 posts

Only the main text opened for me...:S

Deckard's System Scanner v20071014.68
Run by Γεράσιμος Κύρλος on 2008-05-27 16:36:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Γεράσιμος Κύρλος.exe) -----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:54 μμ, on 27/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Storage RW\DskWatch.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Γεράσιμος Κύρλος\Επιφάνεια εργασίας\PC repair\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ED8F~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aokerkyra.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {166BCB27-FCFD-4588-9BDB-44FC6A02EF35} - C:\WINDOWS\system32\nnnKBTkk.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {340D4F19-D4E7-42E6-B416-5106D0C2F394} - C:\WINDOWS\system32\nnnljjHB.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [USB Storage RW] C:\Program Files\USB Storage RW\DskWatch.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe" "ZTE\ZXDSL852"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [30b1afc4] rundll32.exe "C:\WINDOWS\system32\syyfffjs.dll",b
O4 - HKLM\..\Run: [BM33829c58] Rundll32.exe "C:\WINDOWS\system32\nhaesroy.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1192450896109
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1192450882062
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96EDCE5C-F18B-47AD-8D73-20554CD7AD02}: NameServer = 213.5.41.8 213.5.17.21
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: nnnKBTkk - C:\WINDOWS\SYSTEM32\nnnKBTkk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 12874 bytes

-- Files created between 2008-04-27 and 2008-05-27 -----------------------------

2008-05-27 16:19:56 686630 --a------ C:\dss.exe
2008-05-27 15:37:33 0 d-------- C:\Program Files\SpywareGuard
2008-05-27 14:46:43 2560 --a------ C:\WINDOWS\system32\vnuqirvg.exe
2008-05-27 14:43:55 113664 --a------ C:\WINDOWS\system32\syyfffjs.dll
2008-05-27 14:41:26 125440 --a------ C:\WINDOWS\system32\nhaesroy.dll
2008-05-27 13:52:10 96645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 13:52:10 87941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 13:49:35 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-27 13:38:10 58368 --a------ C:\WINDOWS\system32\vtUopNGA.dll
2008-05-27 03:23:02 2560 --a------ C:\WINDOWS\system32\rmqpiino.exe
2008-05-27 03:13:44 279066 --ahs---- C:\WINDOWS\system32\BHjjlnnn.ini2
2008-05-27 03:13:19 371200 --a------ C:\WINDOWS\system32\nnnljjHB.dll
2008-05-27 03:01:08 58368 --a------ C:\WINDOWS\system32\nnnKBTkk.dll
2008-05-27 02:47:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-27 02:34:35 0 d-------- C:\327882R2FWJFW
2008-05-26 17:00:58 0 d-------- C:\cmdcons
2008-05-26 16:26:01 0 d-------- C:\Combo fix
2008-05-26 15:39:38 0 d-------- C:\Program Files\Trend Micro
2008-05-26 15:33:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-26 15:32:17 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-26 15:32:17 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\SUPERAntiSpyware.com
2008-05-24 20:12:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-20 17:21:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 17:18:34 0 d-------- C:\Program Files\WinClamAVShield
2008-05-20 17:13:00 0 d-------- C:\searchplugins
2008-05-20 17:12:16 0 d-------- C:\Program Files\Crawler
2008-05-20 17:11:54 141312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-05-20 17:11:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-05-20 17:11:44 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Spyware Terminator
2008-05-20 17:11:37 0 d-------- C:\Program Files\Spyware Terminator
2008-05-17 13:10:44 0 d-------- C:\Program Files\Incomplete
2008-05-13 16:14:38 110602 --a------ C:\WINDOWS\system32\xcdsfx32.bin
2008-05-13 16:14:35 0 d-------- C:\Program Files\Driver Magician

-- Find3M Report ---------------------------------------------------------------

2008-05-27 16:34:03 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Skype
2008-05-27 16:30:31 5112 --a------ C:\WINDOWS\GPCIDrv.sys
2008-05-27 16:06:04 0 d-------- C:\Program Files\Warcraft III
2008-05-27 13:28:57 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\skypePM
2008-05-27 02:48:16 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\uTorrent
2008-05-27 02:25:04 597860 --a------ C:\WINDOWS\system32\perfh008.dat
2008-05-27 02:25:04 112858 --a------ C:\WINDOWS\system32\perfc008.dat
2008-05-27 01:45:33 0 d-------- C:\Program Files\VirtualDJ
2008-05-27 01:44:04 0 d-------- C:\Program Files\Java
2008-05-27 00:31:14 127823 --a------ C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Cosmos Prefs
2008-05-26 16:10:38 3344 --a------ C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\wklnhst.dat
2008-05-26 15:31:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 20:12:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-24 20:00:19 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\AdobeUM
2008-05-23 07:20:04 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\SiteAdvisor
2008-05-20 18:21:33 0 d-------- C:\Program Files\DAEMON Tools
2008-05-20 18:21:31 0 d-------- C:\Program Files\Intelore
2008-05-17 13:20:09 0 d-------- C:\Program Files\LimeWire
2008-05-14 15:59:42 0 d-------- C:\Program Files\World of Warcraft
2008-05-13 16:40:40 0 d-------- C:\Program Files\MagicISO
2008-05-13 16:27:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-13 16:11:02 0 d-------- C:\Program Files\ImTOO
2008-05-13 16:10:51 0 d-------- C:\Program Files\NCH Swift Sound
2008-05-10 00:47:49 0 d-------- C:\Program Files\DivX
2008-04-23 11:55:11 0 d-------- C:\Program Files\ePrompter
2008-04-18 13:09:37 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\LimeWire
2008-04-16 13:50:38 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\U3
2008-04-09 18:18:50 0 d-------- C:\Program Files\Opera
2008-04-09 11:40:42 0 d-------- C:\Program Files\AvRack
2008-04-03 01:01:12 0 d-------- C:\Program Files\RadarSync Ltd
2008-04-03 00:53:31 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Auslogics
2008-04-03 00:53:22 0 d-------- C:\Program Files\Auslogics
2008-04-02 16:26:16 0 d-------- C:\Program Files\Creative
2008-04-02 15:49:01 0 d-------- C:\Program Files\Realtek AC97
2008-04-02 15:36:32 0 d-------- C:\Program Files\SymplisIT
2008-04-01 00:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 00:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 00:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-04-01 00:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-04-01 00:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:05:33 0 d-------- C:\Program Files\Cosmos
2008-03-21 23:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 23:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 23:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 23:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}]
27/05/2008 03:01 §£ 58368 --a------ C:\WINDOWS\system32\nnnKBTkk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{340D4F19-D4E7-42E6-B416-5106D0C2F394}]
27/05/2008 03:13 §£ 371200 --a------ C:\WINDOWS\system32\nnnljjHB.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Storage RW"="C:\Program Files\USB Storage RW\DskWatch.exe" [23/12/2004 03:00 ££]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [31/07/2006 06:03 ££]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/12/2007 02:41 §£]
"nwiz"="nwiz.exe" [05/12/2007 02:41 §£ C:\WINDOWS\system32\nwiz.exe]
"VGAUtil"="C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [02/01/2007 10:22 §£]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [04/12/2005 04:39 ££]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/12/2007 02:41 §£]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [25/03/2008 03:52 ££]
"SoundMan"="SOUNDMAN.EXE" [16/04/2007 04:28 ££ C:\WINDOWS\SOUNDMAN.EXE]
"CnxDslTaskBar"="C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe" [16/03/2005 02:14 ££]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [20/05/2008 05:11 ££]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28 §£]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [08/02/2008 06:36 ££]
"30b1afc4"="C:\WINDOWS\system32\syyfffjs.dll" [27/05/2008 02:43 ££]
"BM33829c58"="C:\WINDOWS\system32\nhaesroy.dll" [27/05/2008 02:41 ££]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [07/09/2004 03:00 ££]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34 ££]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [01/02/2008 06:22 ££]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [27/05/2008 03:08 §£]

C:\Documents and Settings\‚œ¨α© £¦ ‰η¨Ά¦\Start Menu\¨¦š¨α££˜«˜\„΅΅ε¤ž©ž\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/8/2003 7:05:35 ££]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}"= C:\WINDOWS\system32\nnnKBTkk.dll [27/05/2008 03:01 §£ 58368]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [27/05/2008 03:08 §£ 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 27/05/2008 03:08 §£ 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnKBTkk]
nnnKBTkk.dll 27/05/2008 03:01 §£ 58368 C:\WINDOWS\system32\nnnKBTkk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnljjHB

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{050c8c59-0ae8-11dd-b67e-00d0d08b48af}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef78dd41-5ace-11db-9cf1-806d6172696f}]

-- End of Deckard's System Scanner: finished at 2008-05-27 16:39:52 ------------

#22
kahdah

Posted 27 May 2008 - 11:24 AM

GeekU Teacher

Retired Staff
15,822 posts

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.
==================================
1. Please download The Avenger2 by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\vnuqirvg.exe
C:\WINDOWS\system32\syyfffjs.dll
C:\WINDOWS\system32\nhaesroy.dll
C:\WINDOWS\system32\vtUopNGA.dll
C:\WINDOWS\system32\rmqpiino.exe
C:\WINDOWS\system32\BHjjlnnn.ini2
C:\WINDOWS\system32\nnnljjHB.dll
C:\WINDOWS\system32\nnnKBTkk.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{340D4F19-D4E7-42E6-B416-5106D0C2F394}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnKBTkk

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 30b1afc4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | BM33829c58

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh dss log .

#23
Redgerasimos

Posted 27 May 2008 - 03:51 PM

Member

Topic Starter
Member
25 posts

Had some problems after the restart...I couldnt open my PC account coz PC was freezing at a black screen and restarting...I finally open my PC successfully and here is the Avenger Log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\vnuqirvg.exe" deleted successfully.
File "C:\WINDOWS\system32\syyfffjs.dll" deleted successfully.
File "C:\WINDOWS\system32\nhaesroy.dll" deleted successfully.
File "C:\WINDOWS\system32\vtUopNGA.dll" deleted successfully.
File "C:\WINDOWS\system32\rmqpiino.exe" deleted successfully.
File "C:\WINDOWS\system32\BHjjlnnn.ini2" deleted successfully.
File "C:\WINDOWS\system32\nnnljjHB.dll" deleted successfully.
File "C:\WINDOWS\system32\nnnKBTkk.dll" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{340D4F19-D4E7-42E6-B416-5106D0C2F394}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnKBTkk" deleted successfully.

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|30b1afc4"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|30b1afc4" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BM33829c58" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

DSS Log:

Deckard's System Scanner v20071014.68
Run by Γεράσιμος Κύρλος on 2008-05-28 00:50:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Γεράσιμος Κύρλος.exe) -----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:26 πμ, on 28/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Storage RW\DskWatch.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ED8F~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aokerkyra.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [USB Storage RW] C:\Program Files\USB Storage RW\DskWatch.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe" "ZTE\ZXDSL852"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1192450896109
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1192450882062
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96EDCE5C-F18B-47AD-8D73-20554CD7AD02}: NameServer = 213.5.41.8 213.5.17.21
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 12331 bytes

-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-28 00:02:46 788 --a------ C:\avexport.bat
2008-05-27 16:19:56 686630 --a------ C:\dss.exe
2008-05-27 15:37:33 0 d-------- C:\Program Files\SpywareGuard
2008-05-27 13:52:10 96645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 13:52:10 87941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 13:49:35 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-27 02:47:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-27 02:34:35 0 d-------- C:\327882R2FWJFW <327882~1>
2008-05-26 17:00:58 0 d-------- C:\cmdcons
2008-05-26 16:26:01 0 d-------- C:\Combo fix <COMBOF~1>
2008-05-26 15:39:38 0 d-------- C:\Program Files\Trend Micro
2008-05-26 15:33:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-26 15:32:17 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-26 15:32:17 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\SUPERAntiSpyware.com
2008-05-24 20:12:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-20 17:21:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 17:18:34 0 d-------- C:\Program Files\WinClamAVShield
2008-05-20 17:13:00 0 d-------- C:\searchplugins <SEARCH~1>
2008-05-20 17:12:16 0 d-------- C:\Program Files\Crawler
2008-05-20 17:11:54 141312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-05-20 17:11:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-05-20 17:11:44 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Spyware Terminator
2008-05-20 17:11:37 0 d-------- C:\Program Files\Spyware Terminator
2008-05-17 13:10:44 0 d-------- C:\Program Files\Incomplete
2008-05-13 16:14:38 110602 --a------ C:\WINDOWS\system32\xcdsfx32.bin
2008-05-13 16:14:35 0 d-------- C:\Program Files\Driver Magician

-- Find3M Report ---------------------------------------------------------------

2008-05-28 00:48:01 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Skype
2008-05-28 00:45:17 5112 --a------ C:\WINDOWS\GPCIDrv.sys
2008-05-27 23:34:28 0 d-------- C:\Program Files\Warcraft III
2008-05-27 21:47:48 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\uTorrent
2008-05-27 21:47:30 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\skypePM
2008-05-27 02:25:04 597860 --a------ C:\WINDOWS\system32\perfh008.dat
2008-05-27 02:25:04 112858 --a------ C:\WINDOWS\system32\perfc008.dat
2008-05-27 01:45:33 0 d-------- C:\Program Files\VirtualDJ
2008-05-27 01:44:04 0 d-------- C:\Program Files\Java
2008-05-27 00:31:14 127823 --a------ C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Cosmos Prefs
2008-05-26 16:10:38 3344 --a------ C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\wklnhst.dat
2008-05-26 15:31:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 20:12:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-24 20:00:19 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\AdobeUM
2008-05-23 07:20:04 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\SiteAdvisor <SITEAD~1>
2008-05-20 18:21:33 0 d-------- C:\Program Files\DAEMON Tools
2008-05-20 18:21:31 0 d-------- C:\Program Files\Intelore
2008-05-17 13:20:09 0 d-------- C:\Program Files\LimeWire
2008-05-14 15:59:42 0 d-------- C:\Program Files\World of Warcraft
2008-05-13 16:40:40 0 d-------- C:\Program Files\MagicISO
2008-05-13 16:27:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-13 16:11:02 0 d-------- C:\Program Files\ImTOO
2008-05-13 16:10:51 0 d-------- C:\Program Files\NCH Swift Sound
2008-05-10 00:47:49 0 d-------- C:\Program Files\DivX
2008-04-23 11:55:11 0 d-------- C:\Program Files\ePrompter
2008-04-18 13:09:37 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\LimeWire
2008-04-16 13:50:38 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\U3
2008-04-09 18:18:50 0 d-------- C:\Program Files\Opera
2008-04-09 11:40:42 0 d-------- C:\Program Files\AvRack
2008-04-03 01:01:12 0 d-------- C:\Program Files\RadarSync Ltd
2008-04-03 00:53:31 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Auslogics
2008-04-03 00:53:22 0 d-------- C:\Program Files\Auslogics
2008-04-02 16:26:16 0 d-------- C:\Program Files\Creative
2008-04-02 15:49:01 0 d-------- C:\Program Files\Realtek AC97
2008-04-02 15:36:32 0 d-------- C:\Program Files\SymplisIT
2008-04-01 00:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 00:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 00:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-04-01 00:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-04-01 00:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:05:33 0 d-------- C:\Program Files\Cosmos
2008-03-21 23:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 23:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 23:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 23:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Storage RW"="C:\Program Files\USB Storage RW\DskWatch.exe" [23/12/2004 03:00 ££]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [31/07/2006 06:03 ££]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/12/2007 02:41 §£]
"nwiz"="nwiz.exe" [05/12/2007 02:41 §£ C:\WINDOWS\system32\nwiz.exe]
"VGAUtil"="C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [02/01/2007 10:22 §£]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [04/12/2005 04:39 ££]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/12/2007 02:41 §£]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [25/03/2008 03:52 ££]
"SoundMan"="SOUNDMAN.EXE" [16/04/2007 04:28 ££ C:\WINDOWS\SOUNDMAN.EXE]
"CnxDslTaskBar"="C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe" [16/03/2005 02:14 ££]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [20/05/2008 05:11 ££]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28 §£]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [08/02/2008 06:36 ££]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [07/09/2004 03:00 ££]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34 ££]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [01/02/2008 06:22 ££]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [27/05/2008 03:08 §£]

C:\Documents and Settings\‚œ¨α© £¦ ‰η¨Ά¦\Start Menu\�¨¦š¨α££˜«˜\„΅΅ε¤ž©ž\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/8/2003 7:05:35 ££]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}"= C:\WINDOWS\system32\nnnKBTkk.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [27/05/2008 03:08 §£ 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 27/05/2008 03:08 §£ 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnljjHB

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{050c8c59-0ae8-11dd-b67e-00d0d08b48af}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef78dd41-5ace-11db-9cf1-806d6172696f}]

-- End of Deckard's System Scanner: finished at 2008-05-28 00:51:47 ------------

Edited by Redgerasimos, 27 May 2008 - 04:01 PM.

#24
kahdah

Posted 27 May 2008 - 04:27 PM

GeekU Teacher

Retired Staff
15,822 posts

Hi I need for you to double click on the fixthis.reg that I had you do first before the Avenger.
If you did not create it then please re-read the instructions right before the Avenger and apply that.
Meaning Double click on the file I had you create.
Then post a fresh dss log.

#25
Redgerasimos

Posted 28 May 2008 - 04:33 AM

Member

Topic Starter
Member
25 posts

I did exactly as u told me...I 1st made a backup from the command u posted on start>run...then i created that fixthis.reg with the commands u posted and clicked yes and said registry changed succesful...then i runned avenger and pasted the commands and the reported is in my previous post...after that i runned dss and here is the new report that popped up when it finished...

Deckard's System Scanner v20071014.68
Run by Γεράσιμος Κύρλος on 2008-05-28 13:28:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Γεράσιμος Κύρλος.exe) -----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:57 μμ, on 28/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Storage RW\DskWatch.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Γεράσιμος Κύρλος\Επιφάνεια εργασίας\PC repair\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ED8F~1.EXE
C:\Program Files\Opera\Opera.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aokerkyra.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [USB Storage RW] C:\Program Files\USB Storage RW\DskWatch.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe" "ZTE\ZXDSL852"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1192450896109
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1192450882062
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab55579.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 12409 bytes

-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-28 13:15:54 106336696 --a------ C:\registrybackup.reg
2008-05-28 00:02:46 788 --a------ C:\avexport.bat
2008-05-27 16:19:56 686630 --a------ C:\dss.exe
2008-05-27 15:37:33 0 d-------- C:\Program Files\SpywareGuard
2008-05-27 13:52:10 96645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 13:52:10 87941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 13:49:35 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-27 02:47:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-27 02:34:35 0 d-------- C:\327882R2FWJFW
2008-05-26 17:00:58 0 d-------- C:\cmdcons
2008-05-26 16:26:01 0 d-------- C:\Combo fix
2008-05-26 15:39:38 0 d-------- C:\Program Files\Trend Micro
2008-05-26 15:33:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-26 15:32:17 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-26 15:32:17 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\SUPERAntiSpyware.com
2008-05-24 20:12:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-20 17:21:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 17:18:34 0 d-------- C:\Program Files\WinClamAVShield
2008-05-20 17:13:00 0 d-------- C:\searchplugins
2008-05-20 17:12:16 0 d-------- C:\Program Files\Crawler
2008-05-20 17:11:54 141312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-05-20 17:11:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-05-20 17:11:44 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Spyware Terminator
2008-05-20 17:11:37 0 d-------- C:\Program Files\Spyware Terminator
2008-05-17 13:10:44 0 d-------- C:\Program Files\Incomplete
2008-05-13 16:14:38 110602 --a------ C:\WINDOWS\system32\xcdsfx32.bin
2008-05-13 16:14:35 0 d-------- C:\Program Files\Driver Magician

-- Find3M Report ---------------------------------------------------------------

2008-05-28 13:30:26 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Skype
2008-05-28 13:25:38 5112 --a------ C:\WINDOWS\GPCIDrv.sys
2008-05-28 13:08:30 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\skypePM
2008-05-27 23:34:28 0 d-------- C:\Program Files\Warcraft III
2008-05-27 21:47:48 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\uTorrent
2008-05-27 02:25:04 597860 --a------ C:\WINDOWS\system32\perfh008.dat
2008-05-27 02:25:04 112858 --a------ C:\WINDOWS\system32\perfc008.dat
2008-05-27 01:45:33 0 d-------- C:\Program Files\VirtualDJ
2008-05-27 01:44:04 0 d-------- C:\Program Files\Java
2008-05-27 00:31:14 127823 --a------ C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Cosmos Prefs
2008-05-26 16:10:38 3344 --a------ C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\wklnhst.dat
2008-05-26 15:31:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 20:12:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-24 20:00:19 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\AdobeUM
2008-05-23 07:20:04 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\SiteAdvisor
2008-05-20 18:21:33 0 d-------- C:\Program Files\DAEMON Tools
2008-05-20 18:21:31 0 d-------- C:\Program Files\Intelore
2008-05-17 13:20:09 0 d-------- C:\Program Files\LimeWire
2008-05-14 15:59:42 0 d-------- C:\Program Files\World of Warcraft
2008-05-13 16:40:40 0 d-------- C:\Program Files\MagicISO
2008-05-13 16:27:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-13 16:11:02 0 d-------- C:\Program Files\ImTOO
2008-05-13 16:10:51 0 d-------- C:\Program Files\NCH Swift Sound
2008-05-10 00:47:49 0 d-------- C:\Program Files\DivX
2008-04-23 11:55:11 0 d-------- C:\Program Files\ePrompter
2008-04-18 13:09:37 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\LimeWire
2008-04-16 13:50:38 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\U3
2008-04-09 18:18:50 0 d-------- C:\Program Files\Opera
2008-04-09 11:40:42 0 d-------- C:\Program Files\AvRack
2008-04-03 01:01:12 0 d-------- C:\Program Files\RadarSync Ltd
2008-04-03 00:53:31 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Auslogics
2008-04-03 00:53:22 0 d-------- C:\Program Files\Auslogics
2008-04-02 16:26:16 0 d-------- C:\Program Files\Creative
2008-04-02 15:49:01 0 d-------- C:\Program Files\Realtek AC97
2008-04-02 15:36:32 0 d-------- C:\Program Files\SymplisIT
2008-04-01 00:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 00:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 00:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-04-01 00:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-04-01 00:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:05:33 0 d-------- C:\Program Files\Cosmos
2008-03-21 23:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 23:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 23:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 23:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Storage RW"="C:\Program Files\USB Storage RW\DskWatch.exe" [23/12/2004 03:00 ££]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [31/07/2006 06:03 ££]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/12/2007 02:41 §£]
"nwiz"="nwiz.exe" [05/12/2007 02:41 §£ C:\WINDOWS\system32\nwiz.exe]
"VGAUtil"="C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [02/01/2007 10:22 §£]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [04/12/2005 04:39 ££]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/12/2007 02:41 §£]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [25/03/2008 03:52 ££]
"SoundMan"="SOUNDMAN.EXE" [16/04/2007 04:28 ££ C:\WINDOWS\SOUNDMAN.EXE]
"CnxDslTaskBar"="C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe" [16/03/2005 02:14 ££]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [20/05/2008 05:11 ££]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28 §£]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [08/02/2008 06:36 ££]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [07/09/2004 03:00 ££]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34 ££]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [01/02/2008 06:22 ££]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [27/05/2008 03:08 §£]

C:\Documents and Settings\‚œ¨α© £¦ ‰η¨Ά¦\Start Menu\¨¦š¨α££˜«˜\„΅΅ε¤ž©ž\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/8/2003 7:05:35 ££]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}"= C:\WINDOWS\system32\nnnKBTkk.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [27/05/2008 03:08 §£ 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 27/05/2008 03:08 §£ 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{050c8c59-0ae8-11dd-b67e-00d0d08b48af}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef78dd41-5ace-11db-9cf1-806d6172696f}]

-- End of Deckard's System Scanner: finished at 2008-05-28 13:32:09 ------------

#26
kahdah

Posted 28 May 2008 - 05:58 AM

GeekU Teacher

Retired Staff
15,822 posts

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis2.reg on your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}"=-

Now double-click fixthis2.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.
Reboot for the changes to take place and post one more dss log and then let me know how it is running?

#27
Redgerasimos

Posted 28 May 2008 - 11:56 AM

Member

Topic Starter
Member
25 posts

Had some probs while starting up my PC again when i changed the registry and restarted the PC...My comp is ok i think...Kaspersky still has some virtumonde infections but not on system32 folder...They are at temporary internet files folder and on system volume information folder...Want me to post exact locations of the infected files and do a full scan with Kaspersky?

Deckard's System Scanner v20071014.68
Run by Γεράσιμος Κύρλος on 2008-05-28 20:54:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Γεράσιμος Κύρλος.exe) -----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:43 μμ, on 28/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Storage RW\DskWatch.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Γεράσιμος Κύρλος\Επιφάνεια εργασίας\PC repair\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ED8F~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aokerkyra.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [USB Storage RW] C:\Program Files\USB Storage RW\DskWatch.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe" "ZTE\ZXDSL852"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1192450896109
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1192450882062
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab55579.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 12375 bytes

-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-28 13:15:54 106336696 --a------ C:\registrybackup.reg
2008-05-28 00:02:46 788 --a------ C:\avexport.bat
2008-05-27 16:19:56 686630 --a------ C:\dss.exe
2008-05-27 15:37:33 0 d-------- C:\Program Files\SpywareGuard
2008-05-27 13:52:10 96645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 13:52:10 87941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 13:49:35 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-27 02:47:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-27 02:34:35 0 d-------- C:\327882R2FWJFW
2008-05-26 17:00:58 0 d-------- C:\cmdcons
2008-05-26 16:26:01 0 d-------- C:\Combo fix
2008-05-26 15:39:38 0 d-------- C:\Program Files\Trend Micro
2008-05-26 15:33:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-26 15:32:17 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-26 15:32:17 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\SUPERAntiSpyware.com
2008-05-24 20:12:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-20 17:21:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 17:18:34 0 d-------- C:\Program Files\WinClamAVShield
2008-05-20 17:13:00 0 d-------- C:\searchplugins
2008-05-20 17:12:16 0 d-------- C:\Program Files\Crawler
2008-05-20 17:11:54 141312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-05-20 17:11:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-05-20 17:11:44 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Spyware Terminator
2008-05-20 17:11:37 0 d-------- C:\Program Files\Spyware Terminator
2008-05-17 13:10:44 0 d-------- C:\Program Files\Incomplete
2008-05-13 16:14:38 110602 --a------ C:\WINDOWS\system32\xcdsfx32.bin
2008-05-13 16:14:35 0 d-------- C:\Program Files\Driver Magician

-- Find3M Report ---------------------------------------------------------------

2008-05-28 20:56:07 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Skype
2008-05-28 20:52:29 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\skypePM
2008-05-28 20:50:48 5112 --a------ C:\WINDOWS\GPCIDrv.sys
2008-05-28 18:23:15 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\uTorrent
2008-05-28 18:19:38 0 d-------- C:\Program Files\Warcraft III
2008-05-28 13:41:29 127823 --a------ C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Cosmos Prefs
2008-05-27 02:25:04 597860 --a------ C:\WINDOWS\system32\perfh008.dat
2008-05-27 02:25:04 112858 --a------ C:\WINDOWS\system32\perfc008.dat
2008-05-27 01:45:33 0 d-------- C:\Program Files\VirtualDJ
2008-05-27 01:44:04 0 d-------- C:\Program Files\Java
2008-05-26 16:10:38 3344 --a------ C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\wklnhst.dat
2008-05-26 15:31:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 20:12:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-24 20:00:19 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\AdobeUM
2008-05-23 07:20:04 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\SiteAdvisor
2008-05-20 18:21:33 0 d-------- C:\Program Files\DAEMON Tools
2008-05-20 18:21:31 0 d-------- C:\Program Files\Intelore
2008-05-17 13:20:09 0 d-------- C:\Program Files\LimeWire
2008-05-14 15:59:42 0 d-------- C:\Program Files\World of Warcraft
2008-05-13 16:40:40 0 d-------- C:\Program Files\MagicISO
2008-05-13 16:27:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-13 16:11:02 0 d-------- C:\Program Files\ImTOO
2008-05-13 16:10:51 0 d-------- C:\Program Files\NCH Swift Sound
2008-05-10 00:47:49 0 d-------- C:\Program Files\DivX
2008-04-23 11:55:11 0 d-------- C:\Program Files\ePrompter
2008-04-18 13:09:37 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\LimeWire
2008-04-16 13:50:38 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\U3
2008-04-09 18:18:50 0 d-------- C:\Program Files\Opera
2008-04-09 11:40:42 0 d-------- C:\Program Files\AvRack
2008-04-03 01:01:12 0 d-------- C:\Program Files\RadarSync Ltd
2008-04-03 00:53:31 0 d-------- C:\Documents and Settings\Γεράσιμος Κύρλος\Application Data\Auslogics
2008-04-03 00:53:22 0 d-------- C:\Program Files\Auslogics
2008-04-02 16:26:16 0 d-------- C:\Program Files\Creative
2008-04-02 15:49:01 0 d-------- C:\Program Files\Realtek AC97
2008-04-02 15:36:32 0 d-------- C:\Program Files\SymplisIT
2008-04-01 00:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 00:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 00:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-04-01 00:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-04-01 00:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:05:33 0 d-------- C:\Program Files\Cosmos
2008-03-21 23:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 23:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 23:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 23:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Storage RW"="C:\Program Files\USB Storage RW\DskWatch.exe" [23/12/2004 03:00 ££]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [31/07/2006 06:03 ££]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/12/2007 02:41 §£]
"nwiz"="nwiz.exe" [05/12/2007 02:41 §£ C:\WINDOWS\system32\nwiz.exe]
"VGAUtil"="C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [02/01/2007 10:22 §£]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [04/12/2005 04:39 ££]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/12/2007 02:41 §£]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [25/03/2008 03:52 ££]
"SoundMan"="SOUNDMAN.EXE" [16/04/2007 04:28 ££ C:\WINDOWS\SOUNDMAN.EXE]
"CnxDslTaskBar"="C:\Program Files\ZTE\ZXDSL852\CnxDslTb.exe" [16/03/2005 02:14 ££]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [20/05/2008 05:11 ££]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28 §£]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [08/02/2008 06:36 ££]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [07/09/2004 03:00 ££]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34 ££]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [01/02/2008 06:22 ££]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [27/05/2008 03:08 §£]

C:\Documents and Settings\‚œ¨α© £¦ ‰η¨Ά¦\Start Menu\�¨¦š¨α££˜«˜\„΅΅ε¤ž©ž\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/8/2003 7:05:35 ££]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [27/05/2008 03:08 §£ 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 27/05/2008 03:08 §£ 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{050c8c59-0ae8-11dd-b67e-00d0d08b48af}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef78dd41-5ace-11db-9cf1-806d6172696f}]

-- End of Deckard's System Scanner: finished at 2008-05-28 20:57:03 ------------

Edited by Redgerasimos, 28 May 2008 - 12:11 PM.

#28
kahdah

Posted 28 May 2008 - 03:24 PM

GeekU Teacher

Retired Staff
15,822 posts

Yes post only the ones not in the system volume information folder.
That kaspersky finds.

#29
Redgerasimos

Posted 28 May 2008 - 03:52 PM

Member

Topic Starter
Member
25 posts

Thats from the System volume folder...
detected: adware not-a-virus:AdWare.Win32.Virtumonde.tsz File: C:\System Volume Information\_restore{FB5FF3B2-5AB7-4B69-B321-39A11BEEFE29}\RP5\A0001256.dll

detected: adware not-a-virus:AdWare.Win32.Virtumonde.ttc File: C:\System Volume Information\_restore{FB5FF3B2-5AB7-4B69-B321-39A11BEEFE29}\RP5\A0001255.dll

There is also this from the temporary internet files folder...But i think this one changes name somehow and Kaspersky once i tried to delete them said not found -_- I didnt disenfect or deleted these files coz they will just reapear i think...I am w8ing commands sir! I will also do a full scan this night i will keep u in touch if i find something more.

detected: adware not-a-virus:AdWare.Win32.Virtumonde.ttd File: C:\Documents and Settings\ÃåñÜóéìïò Êýñëïò\Local Settings\Temporary Internet files\Content.IE5\7O7W3VOZ\css4[1]

detected: adware not-a-virus:AdWare.Win32.Virtumonde.tsz File: C:\Documents and Settings\ÃåñÜóéìïò Êýñëïò\Local Settings\Temporary Internet files\Content.IE5\NNKVTSM1\kb516107[1]

#30
kahdah

Posted 28 May 2008 - 04:00 PM

GeekU Teacher

Retired Staff
15,822 posts

Hi the reason those show up is because they are in use and can only be moved in the normal windows.
So Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Documents and Settings\ÃåñÜóéìïò Êýñëïò\Local Settings\Temporary Internet files\Content.IE5\7O7W3VOZ\*.*
C:\Documents and Settings\ÃåñÜóéìïò Êýñëïò\Local Settings\Temporary Internet files\Content.IE5\NNKVTSM1\*.*

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
Post the otmove it log and then update kaspersky and run a full system scan tonight.
Let me know if it finds something it cannot delete.