Downloader.obfuskated

scrapi

Hello there. I've seen a problem that Alexi faced with downloader.obfuscated. I have to admit that I face the same problem. I have kept all the downloader.obfuskated viruses found in the vault, but not still deleted them.Rahina rescue gave Alexi instructions how to face the problem and I followed the same procedure. I followed all the proposed procedure that Trogan proposed me and I now post the findings of my ATF-Cleaner scanning. Thank you for listening me in advance. Here's the report:
File C:\Program Files\VAG-PROGRAMS\MUSIC-DOWNLOAD\E-mule-uninst\eMule0.47a-Installer.exe tagged as not-a-virus:AdWare.Win32.Webdir.b. No Action Taken.
File E:\Downloaded Music\Ellinika\eaeu ia aoneou ooa ?aeea - Mazwnakis.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\++++++ DOWNLOAD CENTER(incompleted) ++++++\?eco ?Uiio - Oa iaaUea onaaiyaea [Disc 2] - 01 - C ?u? iio uec.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\CLASSICAL\Stravinsky - Les Noces et Autres\02 - airs aupres du ruisseau.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\ELLINIKA\Xainides - Me kontra ton kairo\?AUICAAO - Ia euiona oii eaenu.tif infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\ETHNIC\SPANISH\De Lucia, Paco - Antologia, vol. 1\05 Punta Umbria Paco de Lucia.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\INSTRUMENTALS\After Crying - De Profundis\03- az ustokos.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\INSTRUMENTALS\After Crying - De Profundis\11- elveszett varos.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\INSTRUMENTALS\Jarre, Jean Michel - Aero\fondo de windows - aero (1024x768).jpg infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\INSTRUMENTALS\Jarre, Jean Michel - Aero\jean michel jarre - aero - cd.jpg infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\INSTRUMENTALS\Jarre, Jean Michel - Aero\jean michel jarre - aero - denmark in concert 2002 - cd1.jpg infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\INSTRUMENTALS\Jarre, Jean Michel - Aero\jean michel jarre - aero - denmark in concert 2002 - cd2.jpg infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\INSTRUMENTALS\Jarre, Jean Michel - Aero\jean michel jarre - aero - interior1.jpg infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\INSTRUMENTALS\Jarre, Jean Michel - Aero\jean michel jarre - aero - interior2.jpg infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\INSTRUMENTALS\Jarre, Jean Michel - Aero\jean michel jarre - aero - trasera.jpg infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\INSTRUMENTALS\Jarre, Jean Michel - Aero\jean michel jarre - aero.txt infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\INSTRUMENTALS\Jarre, Jean Michel - Aero\poster concierto - aero 2002.jpg infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\ROCK\Progressive Rock\Bacamarte - Depois do Fim\04 - Passaro de Luz.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\My Music\ROCK\Progressive Rock\Bacamarte - Depois do Fim\07 - Controversia.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\Programs\VAG_PROGRAMS\DVD-CD PLAYERS\WINAMP\Plugins\avs\Winamp 5 Picks\fck - checkers with metaballs (skupers remix).avs infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\Programs\VAG_PROGRAMS\MUSIC-DOWNLOAD\E-mule\eMule0.47a-Installer.exe tagged as not-a-virus:AdWare.Win32.Webdir.b. No Action Taken.
File E:\RECYCLER\S-1-5-21-515967899-861567501-682003330-1003\Di127\De Lucia, Paco - Antologia, vol. 1\05 Punta Umbria Paco de Lucia.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File E:\System Volume Information\_restore{32F4C38F-D2CE-492E-B105-B5E31D08DE5C}\RP24\A0007703.exe tagged as not-a-virus:AdWare.Win32.Webdir.b. No Action Taken.

That's also my HighJack log.

Logfile of HijackThis v1.99.1
Scan saved at 5:41:04 μμ, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\AVG Anti-spyware\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgamsvr.exe
C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgupsvc.exe
C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Alcohol.120%.1.9.6.4629\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\PowerS.exe
C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Omnipage SE\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\VAG-PROGRAMS\CD-DVD Players-Converters\Apple-Quicktime\iTunes 7.0.2\iTunesHelper.exe
C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Daemon\daemon.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\Mozilla\Mozilla.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800-840\dslmon.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Prolink\PixelView PlayTV Pro 5.24\TVRMVCR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Omnipage SE\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\VAG-PROGRAMS\CD-DVD Players-Converters\Apple-Quicktime\iTunes 7.0.2\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "c:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Adobe Reader 8\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Adobe Reader 8\Reader\AdobeCollabSync.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800-840\dslmon.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PixelView PlayTV Pro 5.24\TVRMVCR.EXE
O4 - Global Startup: Scheduler.lnk = C:\Program Files\Prolink\PixelView PlayTV Pro 5.24\TVSCHL.EXE
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{759DE811-CE46-4193-9013-83F538BB0BBB}: NameServer = 195.170.0.1 195.170.2.2
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\AVG Anti-spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Alcohol.120%.1.9.6.4629\Alcohol 120\StarWind\StarWindService.exe

Thank you

Veka

Hi scrapi. I will check your log, please wait.

Veka

Hi scrapi. I'm glad to tell you that your HJT log is clean. Does OTENET
ring a bell? Please, download ATF Cleaner and follow instructions

• Run ATF Cleaner
• Under Main choose Select All
• Click Empty Selected
• If you use Firefox browser
  • Click Firefox at the top and choose Select All
  • Click Empty Selected
    NOTE: If you would like to keep your saved passwords, click No at the prompt.
• If you use Opera browser
  • Click Opera at the top and choose Select All
  • Click Empty Selected
    NOTE: If you would like to keep your saved passwords, click No at the prompt
• Click Exit on the Main menu to close the program

==============================================

• Start AVG Anti-Spyware
• Click the Update icon
• Click Start update
• Wait until updates are downloaded
• Click the Scanner icon
• Open the Settings tab
  • Make sure that under "How to act?" read Quarantine
    (If not, click the text and choose Quarantine)
  • Under "How to scan?" all checkboxes should be ticked
  • Under "Reports" select Automatically generate report after every scan
    and uncheck Only if threats were found
  • Under "What to scan?" select Scan every file
• Click the Shield icon
• Under the "Resident shield is" click active to make it inactive
• Close AVG Anti-Spyware

==============================================

Reboot your computer in Safe Mode

• If the computer is running, shut down Windows, and then turn off the power
• Wait 30 seconds, and then turn the computer on
• Start tapping the F8 key
• The Windows Advanced Options Menu appears
• Ensure that the Safe Mode option is selected
• Press Enter. The computer then begins to start in Safe mode
• Login on your usual account

==============================================

• Close all open windows / programs / folders
• Start AVG Anti-Spyware
• Click the Scanner icon
• Click Complete System Scan
• Let the program scan the machine
• When the scan has finished, follow the instructions below
  • Make sure that under "Set all elements to" read Quarantine
    (If not, click the text and choose Quarantine)
  • Click Apply all actions
  • Click Save Report
  • Click Save reports as
  • Save report to your Desktop

==============================================

Please, post fresh HijackThis log and AVG Anti-Spyware log

scrapi

No.OTENET did not rang any bell at all. Anyway. I'm sending you my new findings: AVG Scan

---

AVG Anti-Spyware - Scan Report

---

+ Created at: 8:26:30 μμ 8/3/2007 + Scan result: :mozilla.209:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.79:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.80:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.81:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.108:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.110:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.210:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.75:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.76:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.277:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned. :mozilla.162:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.166:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.198:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Clickhype : Cleaned. :mozilla.272:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Com : Cleaned. :mozilla.35:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned. :mozilla.158:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.159:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.160:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.161:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.237:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned. :mozilla.193:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.239:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.240:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.87:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.88:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.89:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.90:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.91:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.180:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned. :mozilla.268:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Overture : Cleaned. :mozilla.287:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.288:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.289:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.290:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.242:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Realmedia : Cleaned. :mozilla.243:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Realmedia : Cleaned. :mozilla.244:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Realmedia : Cleaned. :mozilla.222:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.223:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.224:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.225:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.226:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.100:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Sitestat : Cleaned. :mozilla.104:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Sitestat : Cleaned. :mozilla.132:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned. :mozilla.133:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned. :mozilla.134:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned. :mozilla.135:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned. :mozilla.136:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned. :mozilla.137:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned. :mozilla.128:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned. :mozilla.49:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned. :mozilla.220:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned. :mozilla.109:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Yadro : Cleaned. :mozilla.65:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.66:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.67:C:\Documents and Settings\Vagelis Koutsaftakis\Application Data\Mozilla\Profiles\default\wjzsl74k.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. ::Report end and Hijackthis: Logfile of HijackThis v1.99.1 Scan saved at 8:28:14 μμ, on 8/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\AVG Anti-spyware\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Omnipage SE\OpwareSE2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\VAG-PROGRAMS\CD-DVD Players-Converters\Apple-Quicktime\iTunes 7.0.2\iTunesHelper.exe" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Daemon\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Mozilla Quick Launch] "c:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\Mozilla\Mozilla.exe" -turbo O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Adobe Reader 8\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Adobe Reader 8\Reader\AdobeCollabSync.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800-840\dslmon.exe O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PixelView PlayTV Pro 5.24\TVRMVCR.EXE O4 - Global Startup: Scheduler.lnk = C:\Program Files\Prolink\PixelView PlayTV Pro 5.24\TVSCHL.EXE O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\AVG Anti-spyware\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Alcohol.120%.1.9.6.4629\Alcohol 120\StarWind\StarWindService.exe Thanx for your time. I'd also like to ask what to do with the "obfuskated viruses" that are placed in the AVG Vault.Should I delete them? Hope to hearing from you soon...

Veka

Thanks for the logs, scrapi. But could you please send HijackThis log again.

scrapi

OK. Here it is: Logfile of HijackThis v1.99.1 Scan saved at 8:28:14 μμ, on 8/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\AVG Anti-spyware\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgcc.exe /STARTUP O4 - H KLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Omnipage SE\OpwareSE2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\VAG-PROGRAMS\CD-DVD Players-Converters\Apple-Quicktime\iTunes 7.0.2\iTunesHelper.exe" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Daemon\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Mozilla Quick Launch] "c:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\Mozilla\Mozilla.exe" -turbo O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Adobe Reader 8\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Adobe Reader 8\Reader\AdobeCollabSync.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800-840\dslmon.exe O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PixelView PlayTV Pro 5.24\TVRMVCR.EXE O4 - Global Startup: Scheduler.lnk = C:\Program Files\Prolink\PixelView PlayTV Pro 5.24\TVSCHL.EXE O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\AVG Anti-spyware\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Alcohol.120%.1.9.6.4629\Alcohol 120\StarWind\StarWindService.exe I'd like to ask what to do with the "obfuskated viruses" that are placed in the AVG Vault.Should I delete them? Hope to hearing from you soon...

scrapi

scrapi wrote:

OK. Here it is: Logfile of HijackThis v1.99.1 Scan saved at 8:28:14 μμ, on 8/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\AVG Anti-spyware\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgcc.exe /STARTUP O4 - H KLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Omnipage SE\OpwareSE2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\VAG-PROGRAMS\CD-DVD Players-Converters\Apple-Quicktime\iTunes 7.0.2\iTunesHelper.exe" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Daemon\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Mozilla Quick Launch] "c:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\Mozilla\Mozilla.exe" -turbo O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Adobe Reader 8\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Adobe Reader 8\Reader\AdobeCollabSync.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800-840\dslmon.exe O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PixelView PlayTV Pro 5.24\TVRMVCR.EXE O4 - Global Startup: Scheduler.lnk = C:\Program Files\Prolink\PixelView PlayTV Pro 5.24\TVSCHL.EXE O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\AVG Anti-spyware\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Alcohol.120%.1.9.6.4629\Alcohol 120\StarWind\StarWindService.exe I'd like to ask what to do with the "obfuskated viruses" that are placed in the AVG Vault.Should I delete them? Hope to hearing from you soon...

scrapi

I'm sorry about that.Eventhough when I post the results everything seems to be OK the results with the text are not satisfactory. I, even, edit the text, but in the end, it appears the same...

Veka

If you are using notepad, click the Format menu and make sure that Wordwrap is not checked. If it is checked then click on it to uncheck it. Try again, please.

scrapi

Logfile of HijackThis v1.99.1 Scan saved at 8:28:14 μμ, on 8/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\AVG Anti-spyware\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Omnipage SE\OpwareSE2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\VAG-PROGRAMS\CD-DVD Players-Converters\Apple-Quicktime\iTunes 7.0.2\iTunesHelper.exe" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Daemon\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Mozilla Quick Launch] "c:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\Mozilla\Mozilla.exe" -turbo O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Adobe Reader 8\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Adobe Reader 8\Reader\AdobeCollabSync.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800-840\dslmon.exe O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PixelView PlayTV Pro 5.24\TVRMVCR.EXE O4 - Global Startup: Scheduler.lnk = C:\Program Files\Prolink\PixelView PlayTV Pro 5.24\TVSCHL.EXE O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\VAG-PROGRAMS\INTERNET & PROTECTION\AVG Anti-spyware\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\VAG-PR~1\INTERN~2\AVGANT~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\VAG-PROGRAMS\TOOLS-PAINT-DESIGN\Alcohol.120%.1.9.6.4629\Alcohol 120\StarWind\StarWindService.exe

scrapi

Sorry. I just don't know what's wrong. Can I send it to you via e-mail?

scrapi

Here is an attachment

Veka

Ok, no panic. I edited it myself and I found it to be clean.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 .
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement."
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
  • J2SE Runtime Environment 5.0 Update 11
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

scrapi

I only found jdk-6-windows-i586.exe. Should I download this? Should I delete the unhealable viruses from the AVG vault?

Veka

No, find Java Runtime Environment (JRE) 6 and click Download. Select "Accept License Agreement" and click Windows Offline Installation, Multi-language (jre-6-windows-i586.exe).

If you still have problems, try this
Windows Offline Installation, Multi-language

Yes, you can empty the AVG vault.

scrapi

And finally the quarantined infected files that avg spyware found should I leave them like this? Thank you for your invaluable help. Greetings from Greece:)

Veka

To [SIZE=-1]remove the files from the AVG Anti-Spyware Quarantine,

Click Infections icon.
Click Select All and then Remove finnally.

=============================================================

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and reenable system restore here:
  
  Managing Windows Millenium System Restore
  
  or
  
  Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  
  A tutorial on installing & using this product can be found here:
  
  Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
  
  This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
  
  Instructions for - Spybot S & D and Ad-aware
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
[/SIZE]

chiaz

Good job vekarppe.

Glad Short-Media could be of assistance! The help you received here was free. Please read through some of these Prevention Tips that Short-Media offers, in addition to the ones posted.

This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

If you are not the user who started this thread, you must start a new Thread instead

Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available here