Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: portoleone
« on: 05. December 2012., 19:12:47 »

Hello S.,

Agreed ... Thank you for your time and efforts  :up:

BR
portoleone
Posted by: Samker
« on: 05. December 2012., 17:35:55 »

Hi S.,
That particular item has been removed with HJT.
I also ran two additional full scans, one with ESET Online scanner and one after downloaded/installed NOD AntiVirus 5.2.9, Trial version from ESET site. Both scans returned ... no infection!!

...

That's great news pal. :thumbsup:

If you agree, I'll consider this case closed ?

Best Regards,

S.
Posted by: portoleone
« on: 03. December 2012., 17:55:08 »

Hi S.,
That particular item has been removed with HJT.
I also ran two additional full scans, one with ESET Online scanner and one after downloaded/installed NOD AntiVirus 5.2.9, Trial version from ESET site. Both scans returned ... no infection!!
I uninstalled NOD Trial and returned to Panda Cloud Antivirus Free, installed since yesterday.
A "Malwarebytes Anti-Malware" scan returned no infection, too!
During this night, I'll leave Panda to scan all my external HDD's, scanning the "compressed" files also. Maybe something remains hidden-inactive there for the time being, but it will be activated again at a moment .. who knows??

Regarding the (infected) files found ...
1. C:\Program Files\Quick Virus Remover\uninstall.exe - Found as infected by Hitman Pro/Cloud and finally left Cloud to delete it.
     I had installed it, but checked the installation file prior installation with MSE/Malwarebytes, as I am used to do with every file from not known and famous sites!!
2. C:\Program Files\Dictionaries Explorer II\MgDE2.exe (Application of English-Greek Disctionary)  -  Found infected by Hitman Pro only, not Cloud or Malwarebytes or ESET Online Scanner. I use that application on my wife's PC for years and no ESET Smart Security nor Malwarebytes have reported anything so far. Anyway, it has been replaced with it's original version from developer company ... just in case ;)

Best regards
portoleone



Posted by: Samker
« on: 02. December 2012., 20:45:59 »

Hi P.,

hmmm...  ??? on first view, your HJT log looks clean.


Now, please remove this item with HJT:

Quote
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

After that, I need information about these two (infected) files which you mentioned here (name, location at your PC etc.): http://scforum.info/index.php/topic,2708.msg19723.html#msg19723 I suspect that they are "inactive" files (for example "compressed" in some file) or simply never installed on your PC "just copied" from somewhere else...

Finally, scan your PC with "ESET Online Scanner" and provide us result: http://scforum.info/index.php/topic,734.0.html

cya later,

S.
Posted by: portoleone
« on: 02. December 2012., 12:26:01 »

Good afternoon Samker and guys,

Following your instructions, both "Panda Cloud Cleaner" and "BitDefender Quick Scan" returned green; no infection!
As I couldn't find how to attach the HijackThis.log file, I put it herewith:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:58:16, on 2012/12/02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Softland\Backup4all Professional 4\b4aSched.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\COSMOTE\Internet On the Go\AutoUpdateSrv.exe
C:\Program Files\Clock\clock.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\My Downloads\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\portoleone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Backup4all Scheduler] "C:\Program Files\Softland\Backup4all Professional 4\b4aSched.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: clock.exe.lnk = C:\Program Files\Clock\clock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1352918397750
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: CodeMeter Runtime Server (CodeMeter.exe) - WIBU-SYSTEMS AG - C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: KMService - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe

--
End of file - 10598 bytes


As you are much more experienced than myself, I am sure that you'll easily recognize any suspicious entry on the above log.
Thanks again for your kind interest,

Best regards
portoleone
 

Posted by: Samker
« on: 30. November 2012., 06:00:08 »

...

Now I am back, I'll inform you about my further actions.

...

Ok pal. ;)

cya later,

S.
Posted by: portoleone
« on: 29. November 2012., 11:31:47 »

Thank you guys, I highly appreciate your concern to my issues.

I was out of city for a few days, due to a business trip.
Now I am back, I'll inform you about my further actions.

Thanks again for your kind assistance,

portoleone
Posted by: Samker
« on: 19. November 2012., 06:13:18 »

Hi P.,

if you suspect that your PC is malware infected, after "jheysen" suggestion, please follow next instructions as well:

1. Provide us all possible information, how this problems occur etc.?

2. Run BitDefender or Panda Online AntiVirus Scan: http://scforum.info/index.php/topic,734.0.html

3. Download & run HijackThis: http://scforum.info/index.php/topic,785.0.html

4. Provide us logs from HijackThis & AntiVirus Online Scan

We'll wait your reply (with logs).

Regards,

Samker
Posted by: portoleone
« on: 18. November 2012., 22:38:15 »

Few days ago my internal HDD (WD800BEVS-75RST0) showed a strange behavior. I tried a reboot and some critical system files were missing. I forced to reinstall XP and I realised that all MSOffice documents in attached external disks had been deleted, as well as "zip" and "rar" files. Other file formats remained untouched!  >:(
I tried to find the lost files by a s/w named Recuva, I found them as deleted on external HDD and tried to recover them. Some of them have been overwritten, other showed in excellent condition with no clusters overwritten. I restored them, but proper application (Excel or Word) can't open them, due to wrong file extension or corruption!
Does anybody have any idea how me to go on and "save" any of these files?
Thank you in advance
Sounds like a Virus infection to me, so you better begin a full system scan in safe mode.
When I found out it, I thought exactly the same. There is no other logical explanation to me than a virus infection! It happens to me for 1st time.
Six logical drives were infected and all of these files .. "gone with the wind" :(
I'll do a scan in safe mode also, as recommended.
Posted by: jheysen
« on: 18. November 2012., 19:24:00 »

Few days ago my internal HDD (WD800BEVS-75RST0) showed a strange behavior. I tried a reboot and some critical system files were missing. I forced to reinstall XP and I realised that all MSOffice documents in attached external disks had been deleted, as well as "zip" and "rar" files. Other file formats remained untouched!  >:(
I tried to find the lost files by a s/w named Recuva, I found them as deleted on external HDD and tried to recover them. Some of them have been overwritten, other showed in excellent condition with no clusters overwritten. I restored them, but proper application (Excel or Word) can't open them, due to wrong file extension or corruption!
Does anybody have any idea how me to go on and "save" any of these files?
Thank you in advance
Sounds like a Virus infection to me, so you better begin a full system scan in safe mode.
Posted by: portoleone
« on: 18. November 2012., 18:24:07 »

Few days ago my internal HDD (WD800BEVS-75RST0) showed a strange behavior. I tried a reboot and some critical system files were missing. I forced to reinstall XP and I realised that all MSOffice documents in attached external disks had been deleted, as well as "zip" and "rar" files. Other file formats remained untouched!  >:(
I tried to find the lost files by a s/w named Recuva, I found them as deleted on external HDD and tried to recover them. Some of them have been overwritten, other showed in excellent condition with no clusters overwritten. I restored them, but proper application (Excel or Word) can't open them, due to wrong file extension or corruption!
Does anybody have any idea how me to go on and "save" any of these files?
Thank you in advance
Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising