Trojan:WinNT/Alureon.C
February 8th, 2020
any info on how i can remove it?
I” help you remove it, please do the following:
Download HijackThis
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
- Double Click on the saved file
- When it runs, make sure you save it to C:\Program Files\Trend Micro\HijackThis
or - If you would like to save it in another place change the directory
- When it has finished installing, hijackthis will automatically launch, then click on I accept
- Click on “Do a system scan and save a logfile” button
- When finished scanning it will produce a log, copy/paste the components of the log in your next post
**Do not use hijackthis’ “Analyze This” button as it has been known to give out false positives
Trojan:WinNT/Alureon.C
any info on how i can remove it?
It mostly likely its malware. get anti-malware and remove it, or get kaspersky and remove the trojan via kaspersky
Sophos identifies this as Mal/TDSS-B and gives the following advice:
Sophos Anti-Virus: Removal of TDSS family of trojans
The TDSS family of Trojans is a new type of malware commonly encountered following a successful installation of the FakeAV and Alureon malware families. Sophos provides detection and blocking of these malware families and of TDSS. However if TDSS manages to install itself successfully, for example on a computer without up-to-date and active Sophos Anti-Virus, it can be very hard to remove.
Once it installs, TDSS manages to corrupt all major anti-virus programs, including Sophos Anti-Virus. It also uses rootkit techniques to hide from the Windows file system.
http://www.sophos.com/support/knowledgebase/article/55430.html
best option is a complete system format and reinstall
formatting isn’t needed, all that he needs to do is post a HJT log, then I can go deeper into this situation.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:41 πμ, on 28/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Petros\Επιφάνεια εργασίας\ΠΡΟΓΡΑΜΜΑΤΑ\HDD Thermometer\HDD Thermometer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\GATE\Επιφάνεια εργασίας\windows-kb890830-v2.9.exe
c:\5f959c5385a52bca400232f005861115\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teimes.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Συντόμευση σελίδας ιδιοτήτων του High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Program Files\Microcom\Microcom USB Network\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Documents and Settings\Petros\Επιφάνεια εργασίας\ΠΡΟΓΡΑΜΜΑΤΑ\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Σήμερα.lnk = C:\Program Files\Today\TODAY.EXE
O8 - Extra context menu item: E&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Αποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Α&ποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
—
End of file – 9765 bytes
Please remember that ALL links must be coded, including, but not limited to, e-mail addresses, passwords, and internal links. Coded for you this time-Search.
TDSS-B is a rootkit that hooks system calls to hide its presence. hijackthis! isnt likely to show anything.
btw, what antivirus detected this?
TDSS-B is a rootkit that hooks system calls to hide its presence. hijackthis! isnt likely to show anything.
btw, what antivirus detected this?
microsoft malicious software removal tool. i found it afteri have been infected
Please do the following: Fix HijackThis entries:
- Launch HijackThis
- Click on the “Scan” button
- Put a “check” on all of the items below
O2 – BHO: (no name) – {7E853D72-626A-48EC-A868-BA8D5E23E045} – (no file) O4 – HKLM\..\Run: [CnxTrApp] rundll32.exe “C:\Program Files\Microcom\Microcom USB Network\CnxTrApp.dll”,AppEntry -REG “Conexant\Conexant USB Network” - Close all browsers, open windows, etc..
- Click on the “Fix Checked” button
- When the fixing has finished, close hijackthis
Download ComboFix from one of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.
Instead of trying to remove just one why not scan your computer using Kaspersky Anti-Virus.
ComboFix 08-07-29.1 – gate 2009-06-15 12:56:06.1 – NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1253.1.1032.18.549 [GMT 3:00]
Running from: C:\Documents and Settings\gate\Επιφάνεια εργασίας\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
– REDUCED FUNCTIONALITY MODE –
.
((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.
2009-06-15 12:42 . 2009-06-15 12:42<DIR>d–hs—-C:\WINDOWS\system32\config\systemprofile\IETldCache
2009-06-15 12:41 . 2009-06-15 12:41<DIR>d–hs—-C:\Documents and Settings\gate\IETldCache
2009-06-15 12:35 . 2009-06-15 12:35<DIR>d——–C:\WINDOWS\ie8updates
2009-06-15 12:35 . 2009-05-01 00:14246,272—–c—C:\WINDOWS\system32\dllcache\ieproxy.dll
2009-06-15 12:35 . 2009-05-12 08:11102,912—–c—C:\WINDOWS\system32\dllcache\iecompat.dll
2009-06-15 12:35 . 2009-05-01 00:1412,800—–c—C:\WINDOWS\system32\dllcache\xpshims.dll
2009-06-15 12:33 . 2009-06-15 12:34<DIR>d–h-c—C:\WINDOWS\ie8
2009-06-15 03:02 . 2009-06-15 12:351,374–a——C:\WINDOWS\imsins.BAK
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 09:42———d—–wC:\Documents and Settings\gate\Application Data\HDD Thermometer
2009-06-15 09:1960,559,595—-a-wC:\WINDOWS\Internet Logs\vsmon_2nd_2009_05_30_18_30_42_full.dmp.zip
2009-06-15 01:00———d—–wC:\Program Files\FlashGet
2009-06-15 00:07———d—–wC:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-05-30 15:313,865,088—-a-wC:\WINDOWS\Internet Logs\xDB10.tmp
2009-05-13 05:04915,456—-a-wC:\WINDOWS\system32\wininet.dll
2009-05-07 15:32348,672—-a-wC:\WINDOWS\system32\localspl.dll
2009-04-27 16:42———d—–wC:\Program Files\Seagate
2009-04-27 16:41———d—–wC:\Program Files\Common Files\Wise Installation Wizard
2009-04-27 13:40———d—–wC:\Program Files\Classic PhoneTools
2009-04-27 13:39———d–h–wC:\Program Files\InstallShield Installation Information
2009-04-27 13:37———d—–wC:\Documents and Settings\All Users\Application Data\Spybot – Search & Destroy
2009-04-25 13:294,096—-a-wC:\WINDOWS\system32\ftp_non_crp.exe
2009-04-25 07:5435,328—-a-wC:\WINDOWS\system32\prnet.tmp
2009-04-19 19:471,847,424—-a-wC:\WINDOWS\system32\win32k.sys
2009-04-15 14:52585,216—-a-wC:\WINDOWS\system32\rpcrt4.dll
2009-04-14 01:033,702,784—-a-wC:\WINDOWS\Internet Logs\xDBF.tmp
2009-04-06 08:5087,608—-a-wC:\Documents and Settings\gate\Application Data\inst.exe
2009-04-06 08:5047,360—-a-wC:\Documents and Settings\gate\Application Data\pcouffin.sys
2009-04-05 23:503,536,896—-a-wC:\WINDOWS\Internet Logs\xDBE.tmp
2009-04-05 18:1481,920—-a-wC:\Documents and Settings\gate\Application Data\ezpinst.exe
2009-03-18 18:187,465,692—-a-wC:\WINDOWS\Internet Logs\tvDebug.zip
2009-03-08 18:0422,328—-a-wC:\Documents and Settings\gate\Application Data\PnkBstrK.sys
2007-06-13 13:2222,040—h–wC:\Documents and Settings\gate\Application Data\wmp2.dat
2008-12-11 17:1632,768–sha-wC:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008121120081212\index.dat
2008-10-07 20:2022,827,040–sha-wC:\WINDOWS\system32\drivers\fidbox.dat
2008-03-22 14:240–sha-wC:\WINDOWS\wmp\wmp.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=”C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 19:30 15360]
“RSD_HDDThermo”=”C:\Documents and Settings\gate\Επιφάνεια εργασίας\ΠΡΟΓΡΑΜΜΑΤΑ\HDD Thermometer\HDD Thermometer.exe” [2004-05-05 22:23 212480]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=”C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-05-16 10:27 153136]
“Yahoo! Pager”=”C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” [2007-08-30 17:43 4670704]
“MSMSGS”=”C:\Program Files\Messenger\msmsgs.exe” [2008-04-14 19:30 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ATIPTA”=”C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-11-11 22:10 344064]
“avgnt”=”C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” [2008-07-18 22:55 266497]
“CnxTrApp”=”C:\Program Files\Microcom\Microcom USB Network\CnxTrApp.dll” [2004-08-07 03:09 247296]
“SunJavaUpdateSched”=”C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 04:27 144784]
“NeroFilterCheck”=”C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-01 16:57 153136]
“GrooveMonitor”=”C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2007-08-24 07:00 33648]
“HP Software Update”=”C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2004-02-12 14:38 49152]
“HP Component Manager”=”C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2004-05-12 16:18 241664]
“Zone Labs Client”=”C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2005-11-15 01:51 755472]
“DAEMON Tools”=”C:\Program Files\DAEMON Tools\daemon.exe” [2005-11-09 01:00 128920]
“CnxDslTaskBar”=”C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe” [2004-04-22 11:04 462848]
“TkBellExe”=”C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2009-02-21 20:40 198160]
“Συντόμευση σελίδας ιδιοτήτων του High Definition Audio”=”HDAudPropShortcut.exe” [2004-03-17 16:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
“SoundMan”=”SOUNDMAN.EXE” [2004-09-23 22:27 77824 C:\WINDOWS\SoundMan.exe]
“AlcWzrd”=”ALCWZRD.EXE” [2004-09-24 21:06 2559488 C:\WINDOWS\ALCWZRD.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=”C:\WINDOWS\system32\CTFMON.EXE” [2008-04-14 19:30 15360]
C:\Documents and Settings\All Users\Start Menu\���š�α��˜�˜\�΅΅ε�ž�ž\
Adobe Reader Speed Launch.lnk – C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
�γ�œ�˜.lnk – C:\Program Files\Today\TODAY.EXE [2000-12-31 01:09:06 346624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“HonorAutoRunSetting”= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.YV12″= yv12vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Γρήγορη εκκίνηση HP Image Zone.lnk]
backup=C:\WINDOWS\pss\Γρήγορη εκκίνηση HP Image Zone.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
——— 2008-04-14 19:30 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
–a—— 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
“DisableMonitoring”=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“C:\\WINDOWS\\system32\\dpvsetup.exe”=
“C:\\WINDOWS\\system32\\rundll32.exe”=
“C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE”=
“C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE”=
“C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE”=
“C:\\Program Files\\Messenger\\msmsgs.exe”=
“C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe”=
“C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe”=
“C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe”=
“C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe”=
“C:\\Program Files\\Windows Live\\Messenger\\livecall.exe”=
“C:\\WINDOWS\\system32\\PnkBstrA.exe”=
“C:\\WINDOWS\\system32\\PnkBstrB.exe”=
S3 CnxEtP;Crypto F200 USB ADSL WAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2003-09-12 05:26]
S3 CnxEtU;Crypto F200 USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2003-09-12 05:26]
S3 CnxTgN;Crypto F200 USB ADSL WAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-10-29 10:02]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
“C:\WINDOWS\system32\rundll32.exe” “C:\WINDOWS\system32\iedkcs32.dll”,BrandIEActiveSetup SIGNUP
.
.
——- Supplementary Scan ——-
.
R0 -: HKCU-Main,Start Page = hxxp://www.teimes.gr/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&ξαγωγή στο Microsoft Excel – C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 -: Λήψη όλων με το FlashGet – C:\Program Files\FlashGet\jc_all.htm
O8 -: Λήψη με χρήση του FlashGet – C:\Program Files\FlashGet\jc_link.htm
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 12:56:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes … scanning hidden autostart entries …
scanning hidden files … scan completed successfully
hidden files: **************************************************************************
.
Completion time: 2009-06-15 12:58:00
ComboFix-quarantined-files.txt 2009-06-15 09:57:57
Pre-Run: 11 Κατάλογοι 31,630,946,304 διαθέσιμα byte
Post-Run: 15 Κατάλογοι 31,727,263,744 διαθέσιμα byte
145— E O F —2009-06-15 09:35:56