Hello,
sorry,about my english!!!
i have got vundo viruses and i have tried to remove them with the vundofix programm.
Vundofix remove what has found,but i still get some popups(poker,cazino..etc).
I hope if someone can help me please!!!!
Thank you very much.

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Please download Atribune's VundoFix.exe from the following site to your desktop:

Vundofix.exe

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click "yes".

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click "ok".

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

thanks jabuck!
i`ll do that and post it for you.

Here`s the hijackthis log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:46 μμ, on 25/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\T?sks\?xplorer.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\TaxCode\TaxSoft\Taxline2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7FE72893-13EA-4C6A-980A-3552F7E1BD22} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: {12e14624-6a2a-d858-a194-7936783d1368} - {8631d387-6397-491a-858d-a2a642641e21} - C:\WINDOWS\system32\sgccvtft.dll (file missing)
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - C:\WINDOWS\system32\vturopn.dll (file missing)
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [dc737db7] rundll32.exe "C:\WINDOWS\system32\dqhwgrpy.dll",b
O4 - HKLM\..\Run: [BMdf404e2b] Rundll32.exe "C:\WINDOWS\system32\gopdibna.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pieo] C:\WINDOWS\system32\T?sks\?xplorer.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Shortcut to Taxline2.lnk = C:\Program Files\TaxCode\TaxSoft\Taxline2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3315A6D3-FF03-4CA2-9144-4D87C87793E6}: NameServer = 195.170.0.2,195.170.2.1
O20 - Winlogon Notify: vturopn - vturopn.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4693 bytes

and here`s the combofix log file

ComboFix 08-02-25.2 - sales 2008-02-25 14:05:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1032.18.478 [GMT 2:00]
Running from: C:\Documents and Settings\sales\Επιφάνεια εργασίας\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\sales\Start Menu\Προγράμματα\Outerinfo
C:\Documents and Settings\sales\Start Menu\Προγράμματα\Outerinfo\Terms.lnk
C:\Documents and Settings\sales\Start Menu\Προγράμματα\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\curity~1\??curity\
C:\Program Files\Common Files\curity~1\msdtc.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERIns.exe
C:\Temp\isgTi19
C:\WINDOWS\b152.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\tsks~1\?xplorer.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 12:02 . 2008-02-25 12:03 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-25 12:01 . 2008-02-25 12:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-23 11:31 . 2008-02-23 12:10 <DIR> d-------- C:\VundoFix Backups
2008-02-23 11:26 . 2008-02-23 11:26 132,608 --a------ C:\Program Files\VundoFix.exe
2008-02-23 11:17 . 2008-02-23 11:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 10:32 . 2008-02-23 10:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2008-02-22 17:53 . 2008-02-22 17:53 <DIR> d-------- C:\Program Files\JavaCore
2008-02-22 17:48 . 2008-02-22 17:48 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-22 14:07 . 2008-02-22 14:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-22 08:53 . 2008-02-23 09:06 894 --ahs---- C:\WINDOWS\system32\qaevvjuk.ini
2008-02-22 08:42 . 2008-02-23 10:52 70,896 --a------ C:\WINDOWS\BMdf404e2b.xml
2008-02-22 08:42 . 2008-02-23 10:50 22 --a------ C:\WINDOWS\pskt.ini
2008-02-21 17:42 . 2008-02-21 17:42 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-21 17:41 . 2008-02-25 14:05 <DIR> d-------- C:\Temp
2008-02-20 10:36 . 2008-02-20 13:34 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-02-20 10:29 . 2008-02-20 10:36 <DIR> d-------- C:\Documents and Settings\sales\Application Data\Ahead
2008-02-20 10:29 . 2008-02-20 10:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2008-02-20 10:28 . 2008-02-20 10:28 <DIR> d-------- C:\Program Files\Nero
2008-02-20 10:28 . 2008-02-20 10:29 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-02-20 10:28 . 2008-02-20 10:28 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2008-02-20 09:10 . 2007-07-09 15:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-19 19:01 . 2008-02-22 14:21 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-19 12:51 . 2008-02-19 12:51 0 --a------ C:\WINDOWS\VPC32.INI
2008-02-19 11:22 . 2007-09-28 09:17 73,728 --a------ C:\WINDOWS\system32\TCDraftMon.dll
2008-02-19 11:18 . 2008-02-19 11:18 <DIR> d-------- C:\”ᡜΆ¦
2008-02-19 11:18 . 2008-02-19 11:25 <DIR> d-------- C:\TAXIS
2008-02-19 11:13 . 2008-02-19 11:13 <DIR> d-------- C:\Documents and Settings\sales\Application Data\AdobeUM
2008-02-19 11:07 . 2008-02-19 11:07 <DIR> d-------- C:\Program Files\TaxCode
2008-02-19 11:03 . 2008-02-18 10:25 2,585,872 --a------ C:\Program Files\WindowsInstaller-KB893803-v2-x86.exe
2008-02-19 11:00 . 2008-02-18 10:14 23,510,720 --a------ C:\Program Files\dotnetfx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 15:58 3,778,560 ----a-w C:\Program Files\SetupTaxSoft_V2-8.msi
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FE72893-13EA-4C6A-980A-3552F7E1BD22}]
C:\WINDOWS\system32\sstqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8631d387-6397-491a-858d-a2a642641e21}]
C:\WINDOWS\system32\sgccvtft.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-04 06:45 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"Pieo"="C:\WINDOWS\system32\T?sks\?xplorer.exe" [ ]
"xInsIDE"="C:\Program Files\xInsIDE\xInsIDE.exe" [2008-02-22 17:48 53248]
"JavaCore"="C:\Program Files\JavaCore\JavaCore.exe" [2008-02-22 17:53 144896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 00:01 544768 C:\WINDOWS\sm56hlpr.exe]
"SiSPower"="SiSPower.dll" [2007-04-10 21:06 53248 C:\WINDOWS\system32\SiSPower.dll]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 09:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"dc737db7"="C:\WINDOWS\system32\dqhwgrpy.dll" [ ]
"BMdf404e2b"="C:\WINDOWS\system32\gopdibna.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-04 06:45 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturopn]
vturopn.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-02-25 12:07:06 C:\WINDOWS\Tasks\updater.exe.job"
- C:\Program Files\TaxCode\TaxSoft\updater.ex
- C:\Program Files\TaxCode\TaxSoft\.SYSTEM
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 14:07:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
r Running Proce
.
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\TaxCode\TaxSoft\Taxline2.exe
.
**************************************************************************
.
Completion time: 2008-02-25 14:08:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-25 12:08:22
.
2008-02-22 12:26:46 --- E O F ---

and i`d like to tell you that when i open the computer it gives two small windows adout
fail during loading
1.c:\windows\system32\gopdipna.dll
2.c:\windows\system32\dqhwgrpy.dll

thanks!!

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\qaevvjuk.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\sgccvtft.dll
C:\WINDOWS\system32\dqhwgrpy.dll
C:\WINDOWS\system32\gopdibna.dll
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\xInsIDE\xInsIDE.exe

Driver::
vturopn

Folder::
C:\VundoFix Backups
C:\Program Files\JavaCore
C:\Program Files\xInsIDE

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FE72893-13EA-4C6A-980A-3552F7E1BD22}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8631d387-6397-491a-858d-a2a642641e21}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pieo"=-
"xInsIDE"=-
"JavaCore"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dc737db7"=-
"BMdf404e2b"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturopn]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Download SDFix to your desktop from the following link:

SDFix.exe.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt.

Do you know what this folder is:

C:\”ᡜΆ¦

Post a new Combofix log.

thanks so much again.i think my pc is clean!!!
here`s is the combofix log

ComboFix 08-02-25.2 - sales 2008-02-26 14:20:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1032.18.442 [GMT 2:00]
Running from: C:\Documents and Settings\sales\Επιφάνεια εργασίας\ComboFix.exe
Command switches used :: C:\Documents and Settings\sales\Επιφάνεια εργασίας\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\Program Files\xInsIDE\xInsIDE.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dqhwgrpy.dll
C:\WINDOWS\system32\gopdibna.dll
C:\WINDOWS\system32\qaevvjuk.ini
C:\WINDOWS\system32\sgccvtft.dll
C:\WINDOWS\system32\sstqo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\xInsIDE
C:\Program Files\xInsIDE\xInsIDE.exe
C:\VundoFix Backups
C:\VundoFix Backups\dqhwgrpy.dll.bad
C:\VundoFix Backups\gopdibna.dll.bad
C:\VundoFix Backups\jddptnpf.dll.bad
C:\VundoFix Backups\oojhhsgy.dll.bad
C:\VundoFix Backups\oqtss.ini.bad
C:\VundoFix Backups\oqtss.ini2.bad
C:\VundoFix Backups\sgccvtft.dll.bad
C:\VundoFix Backups\sstqo.dll.bad
C:\VundoFix Backups\yprgwhqd.ini.bad
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\qaevvjuk.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-25 12:02 . 2008-02-25 12:03 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-25 12:01 . 2008-02-25 12:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-23 11:26 . 2008-02-23 11:26 132,608 --a------ C:\Program Files\VundoFix.exe
2008-02-23 11:17 . 2008-02-23 11:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 10:32 . 2008-02-23 10:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2008-02-22 14:07 . 2008-02-22 14:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-22 08:42 . 2008-02-23 10:52 70,896 --a------ C:\WINDOWS\BMdf404e2b.xml
2008-02-21 17:41 . 2008-02-25 14:05 <DIR> d-------- C:\Temp
2008-02-20 10:36 . 2008-02-20 13:34 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-02-20 10:29 . 2008-02-20 10:36 <DIR> d-------- C:\Documents and Settings\sales\Application Data\Ahead
2008-02-20 10:29 . 2008-02-20 10:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2008-02-20 10:28 . 2008-02-20 10:28 <DIR> d-------- C:\Program Files\Nero
2008-02-20 10:28 . 2008-02-20 10:29 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-02-20 10:28 . 2008-02-20 10:28 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2008-02-20 09:10 . 2007-07-09 15:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-19 19:01 . 2008-02-22 14:21 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-19 12:51 . 2008-02-19 12:51 0 --a------ C:\WINDOWS\VPC32.INI
2008-02-19 11:22 . 2007-09-28 09:17 73,728 --a------ C:\WINDOWS\system32\TCDraftMon.dll
2008-02-19 11:18 . 2008-02-19 11:25 <DIR> d-------- C:\TAXIS
2008-02-19 11:18 . 2008-02-19 11:18 <DIR> d-------- C:\Φάκελος
2008-02-19 11:13 . 2008-02-19 11:13 <DIR> d-------- C:\Documents and Settings\sales\Application Data\AdobeUM
2008-02-19 11:07 . 2008-02-19 11:07 <DIR> d-------- C:\Program Files\TaxCode
2008-02-19 11:03 . 2008-02-18 10:25 2,585,872 --a------ C:\Program Files\WindowsInstaller-KB893803-v2-x86.exe
2008-02-19 11:00 . 2008-02-18 10:14 23,510,720 --a------ C:\Program Files\dotnetfx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 01:06 665,088 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:40 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-29 15:58 3,778,560 ----a-w C:\Program Files\SetupTaxSoft_V2-8.msi
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-04 06:45 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 00:01 544768 C:\WINDOWS\sm56hlpr.exe]
"SiSPower"="SiSPower.dll" [2007-04-10 21:06 53248 C:\WINDOWS\system32\SiSPower.dll]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 09:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-04 06:45 15360]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\¨¦š¨α££˜«˜\„΅΅ε¤ž©ž\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Shortcut to Taxline2.lnk - C:\Program Files\TaxCode\TaxSoft\Taxline2.exe [2007-11-29 17:54:00 915968]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-02-26 06:36:56 C:\WINDOWS\Tasks\updater.exe.job"
- C:\Program Files\TaxCode\TaxSoft\updater.ex
- C:\Program Files\TaxCode\TaxSoft\.SYSTEM
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 14:21:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-02-26 14:21:34
ComboFix-quarantined-files.txt 2008-02-26 12:21:32
ComboFix2.txt 2008-02-25 12:08:25
.
2008-02-22 12:26:46 --- E O F ---
and her`s the report from sdfix

[b]SDFix: Version 1.147 [/b]

Run by sales on Τρι 26/02/2008 at 03:01 μμ

Microsoft Windows XP [Έκδοση 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

[b]Checking Files [/b]:

No Trojan Files Found

Removing Temp Files

[b]ADS Check [/b]:

[b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 15:05:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\x2018\3\x393\3\x39d\3\xb3\3\x397\3\x391\3\x38f\3\xbd\3\x38f\3\x392\3 ?\x390\3\x391\3\x38f\3\x393\3\xb1\3\x391\3\x38c\3\x38f\3\xb3\3\xad\3\xb1\3\x392\3 ?R?A?S?"=str(7):"1\0"
"\x2018\3\x390\3\xb5\3\x395\3\x388\3\xb5\3\x2015\3\xb1\3\x392\3 ?\x390\3\xb1\3\x391\3\xac\3\xbb\3\xbb\3\xb7\3\xbb\3\xb7\3"=str(7):"1\0"
"\xa0\3\xb1\3\x38a\3\xad\3\x394\3\x38f\3 ?\x397\3\x391\3\x38f\3\xbd\3\x38f\3\x384\3\x389\3\xb1\3\xb3\3\x391\3\xac\3\x38c\3\x38c\3\xb1\3\x394\3\x38f\3\x392\3 ?M?i?n?i?p?o?r?t?"=str(7):"1\0002\0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\\x201d\3\x389\3\xb1\3\x397\3\xb5\3\x2015\3\x391\3\x389\3\x393\3\xb7\3 ]
"EventMessageFile"="C:\WINDOWS\system32\sessmgr.exe"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\\xa5\3\x390\3\xb7\3\x391\3\xb5\3\x393\3\x2015\3\xb1\3 ]
"EventMessageFile"=str(2):"%SystemRoot%\System32\NTMSEVT.DLL"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\x2018\3\x393\3\x39d\3\xb3\3\x397\3\x391\3\x38f\3\xbd\3\x38f\3\x392\3 ?\x390\3\x391\3\x38f\3\x393\3\xb1\3\x391\3\x38c\3\x38f\3\xb3\3\xad\3\xb1\3\x392\3 ?R?A?S?"=str(7):"1\0"
"\x2018\3\x390\3\xb5\3\x395\3\x388\3\xb5\3\x2015\3\xb1\3\x392\3 ?\x390\3\xb1\3\x391\3\xac\3\xbb\3\xbb\3\xb7\3\xbb\3\xb7\3"=str(7):"1\0"
"\xa0\3\xb1\3\x38a\3\xad\3\x394\3\x38f\3 ?\x397\3\x391\3\x38f\3\xbd\3\x38f\3\x384\3\x389\3\xb1\3\xb3\3\x391\3\xac\3\x38c\3\x38c\3\xb1\3\x394\3\x38f\3\x392\3 ?M?i?n?i?p?o?r?t?"=str(7):"1\0002\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\\x201d\3\x389\3\xb1\3\x397\3\xb5\3\x2015\3\x391\3\x389\3\x393\3\xb7\3 ]
"EventMessageFile"="C:\WINDOWS\system32\sessmgr.exe"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\\xa5\3\x390\3\xb7\3\x391\3\xb5\3\x393\3\x2015\3\xb1\3 ]
"EventMessageFile"=str(2):"%SystemRoot%\System32\NTMSEVT.DLL"
"TypesSupported"=dword:00000007

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\xa0\3\x391\3\x38f\3\xb5\3\x390\3\x389\3\xbb\3\xb5\3\xb3\3\x38c\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"="",,,,,,,,,,,,,""
"\x9a\3\x389\3\xbd\3\x38f\3\x39d\3\x38c\3\xb5\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"=""C:\WINDOWS\Cursors\rainbow.ani,,C:\WINDOWS\Cursors\appstart.ani,C:\WINDOWS\Cursors\hourglas.ani,C:\WINDOWS\Cursors\cross.cur,,,,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,,""
"\x2020\3\x393\3\x390\3\x391\3\x38f\3 ?3?\x201d\3"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,""
"\xa7\3\xad\3\x391\3\x389\3\xb1\3 ?1?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"\xa7\3\xad\3\x391\3\x389\3\xb1\3 ?2?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
"\x201d\3\xb5\3\x389\3\xbd\3\x39c\3\x393\3\xb1\3\x395\3\x391\3\x38f\3\x392\3"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,""
"\xa0\3\x391\3\x38f\3\xb7\3\xb3\3\x38f\3\x39d\3\x38c\3\xb5\3\xbd\3\x38f\3 ?\x38c\3\x38f\3\xbd\3\x394\3\xad\3\xbb\3\x38f\3"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\xa3\3\x39d\3\xbd\3\x388\3\xb5\3\x393\3\xb7\3"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"\x9c\3\xb5\3\xb3\3\xad\3\x388\3\x395\3\xbd\3\x393\3\xb7\3"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
"\xa0\3\xb1\3\x391\3\xb1\3\xbb\3\xbb\3\xb1\3\xb3\3\xad\3\x392\3"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,""
"\x9c\3\x390\3\x391\3\x38f\3\x39d\3\x394\3\xb6\3\x389\3\xbd\3\x38f\3 ?3?\x201d\3"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\x9c\3\xb1\3\x39d\3\x391\3\xb1\3 ?W?i?n?d?o?w?s? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\x9c\3\xb1\3\x39d\3\x391\3\xb1\3 ?W?i?n?d?o?w?s? ?(?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\x9c\3\xb1\3\x39d\3\x391\3\xb1\3 ?W?i?n?d?o?w?s? ?(?\x390\3\x38f\3\xbb\3\x39d\3 ?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
"\x2018\3\xbd\3\x394\3\xb5\3\x393\3\x394\3\x391\3\xb1\3\x38c\3\x38c\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"="C:\WINDOWS\cursors\arrow_i.cur,C:\WINDOWS\cursors\help_i.cur,C:\WINDOWS\cursors\wait_i.cur,C:\WINDOWS\cursors\busy_i.cur,C:\WINDOWS\cursors\cross_i.cur,C:\WINDOWS\cursors\beam_i.cur,C:\WINDOWS\cursors\pen_i.cur,C:\WINDOWS\cursors\no_i.cur,C:\WINDOWS\cursors\size4_i.cur,C:\WINDOWS\cursors\size3_i.cur,C:\WINDOWS\cursors\size2_i.cur,C:\WINDOWS\cursors\size1_i.cur,C:\WINDOWS\cursors\move_i.cur,C:\WINDOWS\cursors\up_i.cur"
"\x2018\3\xbd\3\x394\3\xb5\3\x393\3\x394\3\x391\3\xb1\3\x38c\3\x38c\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s? ?(?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_im.cur,C:\WINDOWS\cursors\help_im.cur,C:\WINDOWS\cursors\wait_im.cur,C:\WINDOWS\cursors\busy_im.cur,C:\WINDOWS\cursors\cross_im.cur,C:\WINDOWS\cursors\beam_im.cur,C:\WINDOWS\cursors\pen_im.cur,C:\WINDOWS\cursors\no_im.cur,C:\WINDOWS\cursors\size4_im.cur,C:\WINDOWS\cursors\size3_im.cur,C:\WINDOWS\cursors\size2_im.cur,C:\WINDOWS\cursors\size1_im.cur,C:\WINDOWS\cursors\move_im.cur,C:\WINDOWS\cursors\up_im.cur"
"\x2018\3\xbd\3\x394\3\xb5\3\x393\3\x394\3\x391\3\xb1\3\x38c\3\x38c\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s? ?(?\x390\3\x38f\3\xbb\3\x39d\3 ?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_il.cur,C:\WINDOWS\cursors\help_il.cur,C:\WINDOWS\cursors\wait_il.cur,C:\WINDOWS\cursors\busy_il.cur,C:\WINDOWS\cursors\cross_il.cur,C:\WINDOWS\cursors\beam_il.cur,C:\WINDOWS\cursors\pen_il.cur,C:\WINDOWS\cursors\no_il.cur,C:\WINDOWS\cursors\size4_il.cur,C:\WINDOWS\cursors\size3_il.cur,C:\WINDOWS\cursors\size2_il.cur,C:\WINDOWS\cursors\size1_il.cur,C:\WINDOWS\cursors\move_il.cur,C:\WINDOWS\cursors\up_il.cur"
"\xa4\3\x395\3\x390\3\x389\3\x38a\3\xac\3 ?W?i?n?d?o?w?s? ?(?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_m.cur,C:\WINDOWS\cursors\help_m.cur,C:\WINDOWS\cursors\wait_m.cur,C:\WINDOWS\cursors\busy_m.cur,C:\WINDOWS\cursors\cross_m.cur,C:\WINDOWS\cursors\beam_m.cur,C:\WINDOWS\cursors\pen_m.cur,C:\WINDOWS\cursors\no_m.cur,C:\WINDOWS\cursors\size4_m.cur,C:\WINDOWS\cursors\size3_m.cur,C:\WINDOWS\cursors\size2_m.cur,C:\WINDOWS\cursors\size1_m.cur,C:\WINDOWS\cursors\move_m.cur,C:\WINDOWS\cursors\up_m.cur"
"\xa4\3\x395\3\x390\3\x389\3\x38a\3\xac\3 ?W?i?n?d?o?w?s? ?(?\x390\3\x38f\3\xbb\3\x39d\3 ?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_l.cur,C:\WINDOWS\cursors\help_l.cur,C:\WINDOWS\cursors\wait_l.cur,C:\WINDOWS\cursors\busy_l.cur,C:\WINDOWS\cursors\cross_l.cur,C:\WINDOWS\cursors\beam_l.cur,C:\WINDOWS\cursors\pen_l.cur,C:\WINDOWS\cursors\no_l.cur,C:\WINDOWS\cursors\size4_l.cur,C:\WINDOWS\cursors\size3_l.cur,C:\WINDOWS\cursors\size2_l.cur,C:\WINDOWS\cursors\size1_l.cur,C:\WINDOWS\cursors\move_l.cur,C:\WINDOWS\cursors\up_l.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\\x9a\3\xb1\3\x394\3\xac\3\x391\3\xb3\3\xb7\3\x393\3\xb7\3 ]
@="{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}"
"Description"="\x391\x3c5\x3c4\x3ac \x3c4\x3b1 \x3b1\x3c1\x3c7\x3b5\x3af\x3b1 \x3b5\x3af\x3bd\x3b1\x3b9 \x3b1\x3c0\x3b1\x3c1\x3b1\x3af\x3c4\x3b7\x3c4\x3b1, \x3b5\x3ac\x3bd \x3b8\x3ad\x3bb\x3b5\x3c4\x3b5 \x3bd\x3b1 \x3ba\x3b1\x3c4\x3b1\x3c1\x3b3\x3ae\x3c3\x3b5\x3c4\x3b5 \x3c4\x3b7\x3bd \x3b5\x3b3\x3ba\x3b1\x3c4\x3ac\x3c3\x3c4\x3b1\x3c3\x3b7 \x3b1\x3c5\x3c4\x3ae\x3c2 \x3c4\x3b7\x3c2 \x3ad\x3ba\x3b4\x3bf\x3c3\x3b7\x3c2 \x3c4\x3c9\x3bd Windows \x3ba\x3b1\x3b9 \x3bd\x3b1 \x3b5\x3c0\x3b9\x3c3\x3c4\x3c1\x3ad\x3c8\x3b5\x3c4\x3b5 \x3c3\x3c4\x3bf \x3c0\x3c1\x3bf\x3b7\x3b3\x3bf\x3cd\x3bc\x3b5\x3bd\x3bf \x3bb\x3b5\x3b9\x3c4\x3bf\x3c5\x3c1\x3b3\x3b9\x3ba\x3cc \x3c3\x3b1\x3c2 \x3c3\x3cd\x3c3\x3c4\x3b7\x3bc\x3b1."
"Display"="\x391\x3bd\x3c4\x3af\x3b3\x3c1\x3b1\x3c6\x3b1 \x3b1\x3c3\x3c6\x3b1\x3bb\x3b5\x3af\x3b1\x3c2 \x3b3\x3b9\x3b1 \x3c0\x3c1\x3bf\x3b7\x3b3\x3bf\x3cd\x3bc\x3b5\x3bd\x3bf \x3bb\x3b5\x3b9\x3c4\x3bf\x3c5\x3c1\x3b3\x3b9\x3ba\x3cc \x3c3\x3cd\x3c3\x3c4\x3b7\x3bc\x3b1"
"IconPath"=str(2):"%SystemRoot%\system32\osuninst.EXE,0"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Realtek HD Audio output\\x9a\3\xb5\3\xbd\3\x394\3\x391\3\x389\3\x38a\3\xae\3 ]
"LineStates"=hex:00,00,00,00,9a,03,b5,03,bd,03,c4,03,c1,03,b9,03,ba,03,ae,03,20,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\\xa3\3\x395\3\xbd\3\x384\3\xad\3\x393\3\xb5\3\x389\3\x392\3]
"Order"=hex:08,00,00,00,02,00,00,00,9c,01,00,00,01,00,00,00,04,00,00,00,56,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x2019\3\x38f\3\xb7\3\x388\3\xae\3\x38c\3\xb1\3\x394\3\xb1\3]
"Order"=hex:08,00,00,00,02,00,00,00,3a,0a,00,00,01,00,00,00,0f,00,00,00,2c,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x2019\3\x38f\3\xb7\3\x388\3\xae\3\x38c\3\xb1\3\x394\3\xb1\3\\x201c\3\x389\3\xb1\3 ]
"Order"=hex:08,00,00,00,02,00,00,00,d0,02,00,00,01,00,00,00,04,00,00,00,c0,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x2019\3\x38f\3\xb7\3\x388\3\xae\3\x38c\3\xb1\3\x394\3\xb1\3\\x201d\3\x389\3\xb1\3\x393\3\x38a\3\xad\3\x384\3\xb1\3\x393\3\xb7\3]
"Order"=hex:08,00,00,00,02,00,00,00,c0,01,00,00,01,00,00,00,03,00,00,00,92,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x2019\3\x38f\3\xb7\3\x388\3\xae\3\x38c\3\xb1\3\x394\3\xb1\3\\x2022\3\x390\3\x389\3\x38a\3\x38f\3\x389\3\xbd\3\x399\3\xbd\3\x2015\3\xb5\3\x392\3]
"Order"=hex:08,00,00,00,02,00,00,00,a0,04,00,00,01,00,00,00,06,00,00,00,98,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x2019\3\x38f\3\xb7\3\x388\3\xae\3\x38c\3\xb1\3\x394\3\xb1\3\\x2022\3\x391\3\xb3\3\xb1\3\xbb\3\xb5\3\x2015\3\xb1\3 ]
"Order"=hex:08,00,00,00,02,00,00,00,92,05,00,00,01,00,00,00,08,00,00,00,a4,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x2022\3\x38a\3\x38a\3\x2015\3\xbd\3\xb7\3\x393\3\xb7\3]
"Order"=hex:08,00,00,00,02,00,00,00,3a,01,00,00,01,00,00,00,02,00,00,00,9c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xa0\3\xb1\3\x389\3\x397\3\xbd\3\x2015\3\x384\3\x389\3\xb1\3]
"Order"=hex:08,00,00,00,02,00,00,00,4e,07,00,00,01,00,00,00,0b,00,00,00,c2,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups]
"\xa0\3\xb1\3\x389\3\x397\3\xbd\3\x2015\3\x384\3\x389\3\xb1\3"="\x392\x3bf\x3b7\x3b8\x3ae\x3bc\x3b1\x3c4\x3b1\\x3a0\x3b1\x3b9\x3c7\x3bd\x3af\x3b4\x3b9\x3b1"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

[b]Remaining Services [/b]:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:

[b]Files with Hidden Attributes [/b]:

Thu 23 Aug 2007 205,312 A..H. --- "C:\Documents and Settings\sales\’˜ ⚚¨˜­α £¦¬\”ᡜΆ¦\”Ž‹„‘ €€‚‚„Šˆ€‘\~WRL0002.tmp"
Tue 10 Aug 1999 263,184 A..H. --- "C:\Documents and Settings\sales\’˜ ⚚¨˜­α £¦¬\”ᡜΆ¦\”Ž‹„‘ €€‚‚„Šˆ€‘\~WRL3806.tmp"
Tue 31 Oct 2006 826,880 A..H. --- "C:\Documents and Settings\sales\’˜ ⚚¨˜­α £¦¬\”ᡜΆ¦\Ž‘”Ž„‘ ANAŠ—‘ˆ‹—Œ\~WRL1442.tmp"
Tue 8 Nov 2005 264,192 A..H. --- "C:\Documents and Settings\sales\’˜ ⚚¨˜­α £¦¬\”ᡜΆ¦\Ž‘”Ž„‘ PC\~WRL0004.tmp"

[b]Finished![/b]

Do you know what this folder is?

C:\”ᡜΆ¦ </B

Report Offensive Follow Up For Removal

Hi,jabuck.
No,i dont know what this folder is.
I dont know what you mean.

As you can see the folder changed in the second
combofix scan to C:\Φάκελος.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.