View Full Version : Virtumonde again
Spybot found Virtumonde, so I ask you for help :(
Previous actions:
There were possibly more (2) infections, one of them seems to be succesfully removed (I removed files described here (http://www.threatexpert.com/report.aspx?uid=cd7a97d5-20ce-41ba-a4cf-01f1dd27a722)and neither they nor the processes appeared again).
Some of the files identified as virtumonde were removed, but yayaWQhF.dll stays in system32 and cannot be deleted.
I suspect explorer to be infected (tried to connect to the internet)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:59, on 18.8.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\NB Probe\NBProbe.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {474C31C5-578B-4192-8562-2E474578DC27} - C:\WINDOWS\system32\yayaWQhF.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Zástupce - BackInfo.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: MultiFrame.lnk.disabled
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E92C6C87-7952-463C-8117-230FE6D0E4B4}: NameServer = 192.168.1.1,83.240.30.1
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: yayaWQhF - C:\WINDOWS\SYSTEM32\yayaWQhF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 12585 bytes
pskelley
2008-08-18, 22:32
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
2) Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
The logs as you asked:
ComboFix
ComboFix 08-08-17.05 - Lukas 2008-08-18 22:01:43.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.568 [GMT 2:00]
Running from: C:\Documents and Settings\Lukas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lukas\Desktop\Inbox\_FF\WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Lukas\UserData
C:\Documents and Settings\Lukas\UserData\index.dat
C:\Documents and Settings\Lukas\UserData\J8M44SHU\oWindowsUpdate[1].xml
C:\Documents and Settings\Lukas\UserData\SNPRI6S6\oWindowsUpdate[1].xml
C:\Documents and Settings\Lukas\UserData\YUT857NK\oWindowsUpdate[1].xml
C:\WINDOWS\system32\_000120_.tmp.dll
C:\WINDOWS\system32\_000131_.tmp.dll
C:\WINDOWS\system32\_000133_.tmp.dll
C:\WINDOWS\system32\_003184_.tmp.dll
C:\WINDOWS\system32\_003185_.tmp.dll
C:\WINDOWS\system32\_003186_.tmp.dll
C:\WINDOWS\system32\_003187_.tmp.dll
C:\WINDOWS\system32\_003194_.tmp.dll
C:\WINDOWS\system32\_003195_.tmp.dll
C:\WINDOWS\system32\_003196_.tmp.dll
C:\WINDOWS\system32\_003197_.tmp.dll
C:\WINDOWS\system32\_003199_.tmp.dll
C:\WINDOWS\system32\_003200_.tmp.dll
C:\WINDOWS\system32\_003203_.tmp.dll
C:\WINDOWS\system32\_003204_.tmp.dll
C:\WINDOWS\system32\_003207_.tmp.dll
C:\WINDOWS\system32\_003208_.tmp.dll
C:\WINDOWS\system32\_003210_.tmp.dll
C:\WINDOWS\system32\_003213_.tmp.dll
C:\WINDOWS\system32\_003214_.tmp.dll
C:\WINDOWS\system32\_003219_.tmp.dll
C:\WINDOWS\system32\_003221_.tmp.dll
C:\WINDOWS\system32\_003224_.tmp.dll
C:\WINDOWS\system32\_003226_.tmp.dll
C:\WINDOWS\system32\_003227_.tmp.dll
C:\WINDOWS\system32\_003228_.tmp.dll
C:\WINDOWS\system32\_003229_.tmp.dll
C:\WINDOWS\system32\_003230_.tmp.dll
C:\WINDOWS\system32\_003233_.tmp.dll
C:\WINDOWS\system32\_003234_.tmp.dll
C:\WINDOWS\system32\_003235_.tmp.dll
C:\WINDOWS\system32\_003236_.tmp.dll
C:\WINDOWS\system32\_003237_.tmp.dll
C:\WINDOWS\system32\_003242_.tmp.dll
C:\WINDOWS\system32\_003244_.tmp.dll
C:\WINDOWS\system32\_003245_.tmp.dll
C:\WINDOWS\system32\yayaWQhF.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.
2008-08-18 21:49 . 2008-08-18 21:49 <DIR> d-------- C:\WINDOWS\Sun
2008-08-18 21:38 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-18 21:37 . 2008-08-18 21:38 <DIR> d-------- C:\Program Files\Java
2008-08-18 21:35 . 2008-08-18 21:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-18 18:30 . 2008-08-18 18:51 1,247 --a------ C:\WINDOWS\ARCHPR.INI
2008-08-18 18:29 . 2008-08-18 18:29 <DIR> d-------- C:\Program Files\ElcomSoft
2008-08-18 16:24 . 2008-08-18 21:39 <DIR> d-------- C:\Program Files\uTorrent
2008-08-18 11:44 . 2008-08-18 11:44 <DIR> d-------- C:\Program Files\ZIP PASSWORD FINDER
2008-08-18 11:44 . 2000-05-16 10:40 83,968 --a------ C:\WINDOWS\UnGins.exe
2008-08-18 11:03 . 2008-05-26 22:17 87,552 --a------ C:\WINDOWS\system32\searchfilterhost.exe
2008-08-18 02:42 . 2008-08-18 02:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 02:00 . 2008-08-18 02:00 91 --a------ C:\WINDOWS\wininit.ini
2008-08-17 22:59 . 2008-08-17 22:59 <DIR> d-------- C:\Program Files\uTorrent2
2008-08-17 22:59 . 2008-08-18 16:24 <DIR> d-------- C:\Documents and Settings\Lukas\Application Data\uTorrent
2008-08-13 14:06 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 14:04 . 2008-04-11 21:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-08 22:49 . 2008-08-08 22:49 288 --a------ C:\WINDOWS\ODBC.INI
2008-08-07 22:55 . 2008-08-07 22:55 <DIR> d-------- C:\Program Files\IrfanView
2008-08-07 22:47 . 2008-08-18 20:53 327 --a------ C:\WINDOWS\wcx_ftp.ini
2008-08-06 18:28 . 2008-08-16 22:16 <DIR> d-------- C:\Documents and Settings\Lukas\Application Data\Ahead
2008-08-06 18:25 . 2008-08-06 18:25 <DIR> d-------- C:\Program Files\Nero
2008-08-06 18:25 . 2008-08-06 18:32 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-08-06 18:25 . 2008-08-06 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-06 18:01 . 2008-08-17 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-06 17:51 . 2008-08-06 17:51 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-06 17:51 . 2008-04-07 05:38 45,392 -ra------ C:\WINDOWS\system32\AdobePDF.dll
2008-08-06 17:51 . 2008-04-07 05:38 22,872 -ra------ C:\WINDOWS\system32\AdobePDFUI.dll
2008-08-06 17:28 . 2008-08-06 17:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-05 19:34 . 2008-08-05 19:34 <DIR> d-------- C:\Documents and Settings\Lukas\Application Data\vlc
2008-08-05 18:57 . 2008-08-05 18:57 <DIR> d-------- C:\Program Files\VideoLAN
2008-08-05 18:02 . 2008-08-17 17:56 <DIR> d-------- C:\Program Files\Codexis
2008-08-05 17:42 . 2008-08-18 19:55 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-05 17:40 . 2006-08-23 05:44 352,000 -ra------ C:\WINDOWS\system32\drivers\u3kmini.sys
2008-08-05 17:40 . 2008-04-14 02:12 18,432 --a------ C:\WINDOWS\system32\dllcache\bdaplgin.ax
2008-08-05 17:40 . 2008-04-14 02:12 18,432 --a------ C:\WINDOWS\system32\BdaPlgIn.ax
2008-08-05 17:40 . 2008-04-13 20:46 15,232 --a------ C:\WINDOWS\system32\drivers\MPE.sys
2008-08-05 17:40 . 2008-04-13 20:46 15,232 --a------ C:\WINDOWS\system32\dllcache\mpe.sys
2008-08-05 17:40 . 2008-04-13 20:46 11,776 --a------ C:\WINDOWS\system32\drivers\BdaSup.sys
2008-08-05 17:40 . 2008-04-13 20:46 11,776 --a------ C:\WINDOWS\system32\dllcache\bdasup.sys
2008-08-05 17:25 . 2008-08-05 17:25 <DIR> d-------- C:\Documents and Settings\Lukas\Application Data\ACD Systems
2008-08-05 17:23 . 2008-08-05 17:24 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-08-05 17:23 . 2008-08-05 17:23 <DIR> d-------- C:\Program Files\ACD Systems
2008-08-05 17:23 . 2008-08-05 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-08-05 17:18 . 2008-08-05 17:18 <DIR> d-------- C:\Program Files\7-Zip
2008-08-05 03:16 . 2008-08-06 17:51 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-05 03:09 . 2008-08-05 12:34 <DIR> d-------- C:\Documents and Settings\Lukas\Application Data\AdobeUM
2008-08-05 02:28 . 2008-08-05 02:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-05 02:27 . 2008-08-05 02:27 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-05 02:27 . 2008-08-05 02:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-05 02:15 . 2008-06-23 18:57 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-05 02:15 . 2007-04-17 11:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-05 02:15 . 2007-03-08 07:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-05 02:15 . 2008-06-23 18:57 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-05 02:15 . 2008-06-23 18:57 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-05 02:15 . 2008-06-23 18:57 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-05 02:15 . 2008-06-23 18:57 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-05 02:15 . 2008-06-23 18:57 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-05 02:15 . 2008-06-23 11:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-05 02:05 . 2008-08-05 02:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-05 01:36 . 2008-08-05 01:36 <DIR> d-------- C:\Program Files\MSECache
2008-08-05 01:36 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-05 01:36 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-05 01:34 . 2008-08-05 01:35 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-08-05 01:30 . 2008-08-05 01:30 <DIR> d-------- C:\Program Files\Media Center Solitaire
2008-08-05 01:30 . 2008-08-05 01:30 <DIR> d-------- C:\Program Files\Media Center Playlist Editor
2008-08-05 01:30 . 2008-08-05 01:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-05 01:22 . 2008-08-05 01:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-05 01:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-05 01:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-05 01:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-05 01:04 . 2008-08-05 01:04 <DIR> d-------- C:\Documents and Settings\Lukas\Application Data\Windows Search
2008-08-05 01:04 . 2008-08-05 01:04 <DIR> d-------- C:\Documents and Settings\Lukas\Application Data\Windows Desktop Search
2008-08-05 01:03 . 2008-08-05 01:03 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-08-05 01:03 . 2008-08-05 01:03 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-08-05 01:03 . 2008-03-07 19:02 192,000 --------- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-05 01:03 . 2008-03-07 19:02 98,304 --------- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-05 01:03 . 2008-03-07 19:02 29,696 --------- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-05 00:58 . 2008-08-05 00:58 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-05 00:53 . 2008-08-05 00:53 <DIR> d-------- C:\Program Files\BSplayerPro
2008-08-05 00:49 . 2008-08-05 00:49 <DIR> d-------- C:\Program Files\Haali
2008-08-05 00:48 . 2008-08-05 00:48 <DIR> d-------- C:\Program Files\CoreCodec
2008-08-04 21:47 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-08-04 21:46 . 2008-08-04 21:46 <DIR> d-------- C:\Program Files\Microsoft Works
2008-08-04 21:45 . 2008-08-04 21:45 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-08-04 21:42 . 2008-08-04 21:43 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-08-04 21:42 . 2008-08-14 08:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-04 21:41 . 2008-08-04 21:41 <DIR> dr-h----- C:\MSOCache
2008-08-04 21:34 . 2008-08-04 21:34 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-08-04 21:30 . 2008-08-04 21:30 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-08-04 20:03 . 2008-08-04 20:03 <DIR> d-------- C:\Program Files\Synergy
2008-08-04 16:23 . 2008-08-16 21:01 <DIR> d-------- C:\Totalcmd
2008-08-04 16:23 . 2008-08-18 21:52 5,615 --a------ C:\WINDOWS\wincmd.ini
2008-08-04 16:23 . 2007-06-21 07:01 545 --a------ C:\WINDOWS\UC.PIF
2008-08-04 16:23 . 2007-06-21 07:01 545 --a------ C:\WINDOWS\RAR.PIF
2008-08-04 16:23 . 2007-06-21 07:01 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-08-04 16:23 . 2007-06-21 07:01 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-08-04 16:23 . 2007-06-21 07:01 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-08-04 16:23 . 2007-06-21 07:01 545 --a------ C:\WINDOWS\LHA.PIF
2008-08-04 16:23 . 2007-06-21 07:01 545 --a------ C:\WINDOWS\ARJ.PIF
2008-08-04 16:20 . 2008-08-04 16:20 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-04 16:01 . 2008-08-04 16:01 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 15:37 . 2008-08-04 15:37 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-04 15:37 . 2008-08-04 15:37 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-04 15:06 . 2005-08-03 18:29 2,330,624 --a------ C:\WINDOWS\system32\SET120D.tmp
2008-08-04 15:06 . 2008-06-20 13:51 361,600 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2008-08-04 15:06 . 2006-03-16 02:00 245,248 --a------ C:\WINDOWS\system32\SET1204.tmp
2008-08-04 15:06 . 2008-06-20 13:08 225,856 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2008-08-04 15:06 . 2006-03-16 02:00 148,480 --a------ C:\WINDOWS\system32\SET1203.tmp
2008-08-04 15:06 . 2008-06-20 13:40 138,496 --a------ C:\WINDOWS\system32\drivers\afd.sys
2008-08-04 15:06 . 2006-03-16 02:00 100,352 --a------ C:\WINDOWS\system32\SET1202.tmp
2008-08-04 15:05 . 2006-03-16 02:00 1,507,356 --a------ C:\WINDOWS\system32\SET11C7.tmp
2008-08-04 15:05 . 2006-03-16 02:00 614,429 --a------ C:\WINDOWS\system32\SET11D3.tmp
2008-08-04 15:05 . 2006-03-16 02:00 151,583 --a------ C:\WINDOWS\system32\SET11C9.tmp
2008-08-04 15:05 . 2006-03-16 02:00 53,279 --a------ C:\WINDOWS\system32\SET11CA.tmp
2008-07-25 16:17 . 2006-10-18 21:47 2,450,944 --------- C:\WINDOWS\system32\dllcache\wmvcore.dll
2008-07-25 16:17 . 2006-12-07 06:14 2,330,624 --a------ C:\WINDOWS\system32\SET120B.tmp
2008-07-25 16:16 . 2008-06-13 13:05 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-07-25 16:16 . 2008-06-13 13:05 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-25 16:12 . 2008-05-08 16:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-07-25 15:56 . 2008-08-04 16:04 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-25 15:56 . 2008-08-04 16:04 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-25 15:56 . 2008-08-04 16:04 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-25 15:56 . 2008-08-04 16:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-25 15:56 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-25 15:56 . 2008-07-25 15:56 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 19:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-15 06:46 --------- d-----w C:\Program Files\Norton Internet Security
2008-08-08 20:39 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-08-06 15:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 15:24 --------- d-----w C:\Program Files\ASUS
2008-08-04 13:37 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-04 13:37 --------- d-----w C:\Program Files\Symantec
2008-07-01 01:27 108,800 ----a-w C:\WINDOWS\system32\drivers\Rtenicxp.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-05-19 18:11 18577448]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 18:39 216520]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 02:12 1695232]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2008-08-14 18:12 267056]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-07-28 15:04 110592]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 07:26 761945]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 00:38 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 00:32 696320]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 17:13 86016]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-03 03:14 61440]
"ACMON"="C:\Program Files\ASUS\Splendid\ACMON.exe" [2006-05-30 10:28 811008]
"NB Probe"="C:\Program Files\ASUS\NB Probe\NBProbe.exe" [2006-05-26 15:00 786432]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 02:25 37232]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 22:43 640376]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 07:00 16050176 C:\WINDOWS\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 02:12 15360]
C:\Documents and Settings\Lukas\Start Menu\Programs\Startup\
Věýezy obrazovky a spuçtŘnˇ aplikace OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]
Z*stupce - BackInfo.lnk - D:\Instalaźky\BackInfo\BackInfo.exe [2008-07-24 19:30:03 102400]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-08-05 03:16:18 1757]
ASUS ChkMail.lnk - C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe [2006-12-04 12:31:52 32768]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 11:11:42 49152]
MultiFrame.lnk.disabled [2006-12-04 12:32:00 1477]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 22:19:14 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 22:19 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acaptuser32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"updateMgr"=c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SMSERIAL"=C:\WINDOWS\sm56hlpr.exe
"PowerForPhone"=C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe
"Device Detector"=DevDetect.exe -autorun
"ASUS Live Update"=C:\Program Files\ASUS\ASUS Live Update\ALU.exe
"ehTray"=C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2008-04-13 20:56]
R3 SynMini;USB2.0 1.3M WebCam;C:\WINDOWS\system32\Drivers\SynMini.sys [2006-07-03 03:33]
R3 SynScan;USB2.0 1.3M WebCam Still Image;C:\WINDOWS\system32\Drivers\SynScan.sys [2006-06-30 03:40]
S3 ipswuio;ipswuio;C:\WINDOWS\system32\DRIVERS\ipswuio.sys [2006-01-24 10:45]
S3 u3kmini;ASUS My Cinema-U3000 Mini;C:\WINDOWS\system32\Drivers\u3kmini.sys [2006-08-23 05:44]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2008-08-04 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Lukas.job
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-23 12:13]
2008-08-16 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Lukas\Application Data\Mozilla\Firefox\Profiles\lt0vfgok.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.cz/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 22:13:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
C:\WINDOWS\explorer.exe [3336] 0x830DD728
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
.
**************************************************************************
.
Completion time: 2008-08-18 22:23:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-18 20:22:50
Pre-Run: 33,003,458,560 bytes free
Post-Run: Volněch bajt…: 32,949,424,128
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
340 --- E O F --- 2008-08-14 06:52:26
[B]HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:51:25, on 18.8.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Zástupce - BackInfo.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: MultiFrame.lnk.disabled
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E92C6C87-7952-463C-8117-230FE6D0E4B4}: NameServer = 192.168.1.1,83.240.30.1
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 12773 bytes
pskelley
2008-08-19, 00:17
Thanks for returning your information, let's do some cleaning like this:
Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.
How is your computer running now?
Thanks
Sorry it took so long, the mail was catched by antispam, so I didn't notice your quick reply. The computer is running fine, I didn't experience any suspicious behavior since the combofix clean.
The prefetch folder was empty already (only layout.ini)
Here follows the results from Malwarebyte's Anti-Malware (I hope it's OK, that it isn't english):
Malwarebytes' Anti-Malware 1.25
Verze databáze: 1070
Windows 5.1.2600 Service Pack 3
15:58:26 19.8.2008
mbam-log-08-19-2008 (15-58-26).txt
Typ skenu: Úplný sken (C:\|D:\|)
Objektu skenováno: 275121
Uplynulý cas: 1 hour(s), 2 minute(s), 4 second(s)
Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 0
Infikované hodnoty registru: 0
Infikované položky dat registru: 0
Infikované složky: 0
Infikované soubory: 3
Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)
Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)
Infikované klíce registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované složky:
(Žádné zákerné položky nebyly zjišteny)
Infikované soubory:
C:\QooBox\Quarantine\C\WINDOWS\system32\yayaWQhF.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7FD491B0-45B6-4C02-A6AE-9FF9A7C6A085}\RP36\A0010775.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7FD491B0-45B6-4C02-A6AE-9FF9A7C6A085}\RP37\A0010825.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
pskelley
2008-08-19, 18:10
Thanks for the feedback, remove combofix from your computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Run MBAM to make sure it is clean, don't post a clean scan.
Update Symantec and run a System Scan to make sure it is working right and scanning clean. If you have problems with the program contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp
I will post this information for you now so you can benefit from it.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
The last log was clear.
Thanks for your help, my computer thanks also :) .
Finally I wold like you to confirm (or corect) these information, so that I don't break anything.
ATF-cleaner is a tool I can use to delete all the files that are not needed and it can't cause any harm.
MBAM is something like Spybot (same function) - Should I perform the scan somtimes? Is it better than spybot when it found files Spybot didn't?
Norton antivirus - do you recommend me to use some lighter (like NOD)?
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier. - I dont't get it - could you explain?
pskelley
2008-08-19, 20:14
ATF-Cleaner is a small tool that does a good job cleaning stuff we often forget to clean. I run it once a month or so. Use MBAM as a backup scanner, just turn it off and let it be there is you need it. The creators go after rouge junk with it. Spybot will cover more malware areas than that, keep it up to date and immunized and run in every couple of weeks to keep the computer good and clean of junk. I just checked the database and Spybot removes over 72,000 malware.
Read the information from the experts I posted and when you fishish, if you still have any questions, post them.
Gracias
Thanks again.
I think this is a goodbey, hopefully for a long time.