Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infostealer and Trojan.Vundo


  • Please log in to reply

#1
miroslaw

miroslaw

    New Member

  • Member
  • Pip
  • 8 posts
I had to get them 2 days ago when loking for the free software. Only Norton detects them. No detection with Panda and AVG 7.5. PC keeps restarting and runs much slower and Avanti browser takes me to "Embedding"search site - never went before. Knowing how busy you are I tried to take care of the problem. So far after running 3 times Vundofix no more Vundo files detected but still PC is not the same - something else?
Thank you for any help.
m

Logfile of HijackThis v1.99.1
Scan saved at 3:23:36 AM, on 3/4/2007
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\VundoFix\VundoFix.exe
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D84804A-B88B-48C2-9194-886FBB6F1509} - C:\WINDOWS\system32\urqqoop.dll (file missing)
O2 - BHO: (no name) - {6B0C117A-E72B-46FB-9AAB-121661BBE347} - C:\WINDOWS\system32\pmnol.dll (file missing)
O2 - BHO: (no name) - {99C7D227-F24C-4192-8ECC-B2AA843F5D60} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\sucbjowq.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to AD Black List - C:\PROGRA~1\AVANTB~1\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\PROGRA~1\AVANTB~1\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\PROGRA~1\AVANTB~1\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\PROGRA~1\AVANTB~1\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\PROGRA~1\AVANTB~1\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\PROGRA~1\AVANTB~1\Search.htm
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
Jayzeee

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts
Hi miroslaw, and welcome to Geeks to Go :whistling:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {1D84804A-B88B-48C2-9194-886FBB6F1509} - C:\WINDOWS\system32\urqqoop.dll (file missing)
O2 - BHO: (no name) - {6B0C117A-E72B-46FB-9AAB-121661BBE347} - C:\WINDOWS\system32\pmnol.dll (file missing)
O2 - BHO: (no name) - {99C7D227-F24C-4192-8ECC-B2AA843F5D60} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\sucbjowq.dll (file missing

Now close all windows other than HiJackThis, then click Fix Checked. Restart your machine.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Close any other open windows and click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Close any other open windows and click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Close any other open windows and click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

After that please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along with a new HjackThis log.

  • 0

#3
miroslaw

miroslaw

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you Jayzeeee for your help,
Please find enclosed scans.
Have a Good Day
m


Logfile of HijackThis v1.99.1
Scan saved at 1:30:57 AM, on 3/8/2007
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [DVD43] C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe /hidden
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 08, 2007 1:30:03 AM
Operating System: Microsoft Windows XP Professional, Dodatek Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/03/2007
Kaspersky Anti-Virus database records: 278556
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 37052
Number of viruses found: 7
Number of infected objects: 31 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:01:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Ustawienia lokalne\Historia\History.IE5\MSHist012007030820070309\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton Internet Security\Log\Confdntl.log Object is locked skipped
C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton Internet Security\Log\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton Internet Security\Log\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton Internet Security\Log\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton Internet Security\Log\Spam.log Object is locked skipped
C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton Internet Security\Log\WebHist.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1000.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1001.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1002.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1003.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1004.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1005.log Object is locked skipped
C:\Program Files\Norton Internet Security\nisum.dat Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\302062A2.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gf skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\437061AE.dll Infected: Trojan.Win32.BHO.g skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\437061AE.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4391058A.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gf skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\43B55363.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\49340356.dll Infected: Trojan.Win32.BHO.g skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\49445544.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\49657920.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\62217BE8.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\623B4BCB.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gf skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\625C6FA7.dll Infected: Trojan.Win32.BHO.g skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\627C1383.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP144\A0330715.exe/stream/data0001 Infected: Trojan-Clicker.Win32.VB.la skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP144\A0330715.exe/stream Infected: Trojan-Clicker.Win32.VB.la skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP144\A0330715.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP144\A0330715.exe CryptFF: infected - 2 skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP144\A0330716.exe/stream/data0001 Infected: Trojan-Clicker.Win32.VB.la skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP144\A0330716.exe/stream Infected: Trojan-Clicker.Win32.VB.la skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP144\A0330716.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP144\A0330716.exe CryptFF: infected - 2 skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP144\A0330717.exe/data0004 Infected: Trojan-Clicker.Win32.VB.ju skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP144\A0330717.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP144\A0330717.exe CryptFF: infected - 1 skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP153\A0354942.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP153\A0354943.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gf skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP153\A0354944.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP153\A0354945.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP153\A0356942.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP153\A0356951.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hk skipped
C:\System Volume Information\_restore{1A40FC69-1D62-4574-B367-488CF382B5E4}\RP154\change.log Object is locked skipped
C:\VundoFix Backups\sucbjowq.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\urqqoop.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hk skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Cookies\index.dat Object is locked skipped
C:\WINDOWS\Temp\Historia\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.
  • 0

#4
Jayzeee

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts
Looking much better. Your system restore point is infected but we wont create a new one until we are sure your system is clean. I'm not seeing anything else to worry about in your logs.

How are things running?
  • 0

#5
miroslaw

miroslaw

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you Jayzeee.
When I should create restore point? How I know my system is clean - ever ? Thing are almost running normal. Still shots and restars sometimes.
m
  • 0

#6
Jayzeee

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts
Hi miroslaw,

How I know my system is clean - ever ?

You know your own machine, and how it should run and notice when it behaves strangely. However, unfortunately this only applies to some infections, newer types of malware can stealthily get onto your system and you will not see any difference in your computers performance. I will post a list of security utilities and links once we are done here, which will greatly reduce the risk of this happening. As you are still experiencing problems I would like you to run a couple of scanners to make sure there is nothing lurking in your system.

Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Close ALL windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
Please run a GMER Rootkit scan:

Download GMER from HERE

Unzip it to the desktop and start GMER.exe
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Please post back the Rootkit revealer log, the GMER log and a fresh HijackThis log.
  • 0

#7
miroslaw

miroslaw

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you Jayzeee one more time.
I was able to run Rootkit Revealer only. Every time when tried to open GMER the computer turns off and restarts.

HKLM\SECURITY\Policy\Secrets\SAC* 2006-03-19 16:21 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2006-03-19 16:21 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 2007-03-11 20:57 80 bytes Data mismatch between Windows API and raw hive data.


Logfile of HijackThis v1.99.1
Scan saved at 9:34:45 PM, on 3/11/2007
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [DVD43] C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe /hidden
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: KEW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\KEW.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Have A Good Day
m
  • 0

#8
Jayzeee

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts
Well the Rootkit Revealer log looks clean. Do you get a BSOD when you open GMER?

Lets, try one more...

* Click here to download AVG Anti Rootkit and save it to your desktop.
  • Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
  • Click "I Agree" to agree to the EULA.
  • By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
  • Click "Next" to begin the installation then click "Install".
  • It will then ask you to reboot now to finish the installation.
  • Click "Finish" and your computer will reboot.
  • After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
  • Click on the "Perform in-depth search" button to begin the scan.
  • The scan will take a while so be patient and let it complete.
  • When the scan is finished, click the "Save result to file" button.
  • Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.

  • 0

#9
miroslaw

miroslaw

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you for help.
Half ot the time when I try to open GMER I'm getting blue screen for very short time.
AVG Anti Rootkit scan is clean - scan was very fast. I'm using AVG Anti-Spyware 7.5 - is there any software conflict with Anti Root?

miroslaw
  • 0

#10
Jayzeee

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts

Half ot the time when I try to open GMER I'm getting blue screen for very short time.

Okay, I have heard of this before :whistling: I suspect it could be a bug in the program.

AVG Anti Rootkit scan is clean - scan was very fast. I'm using AVG Anti-Spyware 7.5 - is there any software conflict with Anti Root?

Nope, well none that I know of. I have both installed on my machine with no problems :blink:

Please open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Open ADS Spy.."
  • Click on "Scan"
  • Click on "Save Log..."
  • Copy and past the List from the notepad into your next post

  • 0

#11
miroslaw

miroslaw

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks again for your help.
I noticed another tiny problem - I can't clean completely URL history - Norton Systemworks web cleanup makes an attemt but all the time the same /1/ one URL is left. All other cleners do not make a job.

After openig HiJackThis/ADS spy - what options I should check?
With checked one option - "ignore safe system info stream" scan is clean.
With all 3 unchecked the scan below :


C:\Documents and Settings\Administrator\Moje dokumenty\Moje obrazy\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\new documents\Mirek\E-MAIL\PICTURES\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\new documents\Mirek\E-MAIL\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\new documents\Mirek\Scanned documents\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Africa1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Africa2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Africa3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Arizona November 2002\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Arizona October 2003\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Block Island 2004\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Block Island 2005\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\BostonAugust2003\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Documents\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Ethiopia 2007\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\GladyszArkadiusz\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Grzegorz Wojski z Marta Krawiec w NY oraz SF 2006\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Kasia Bozydar\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\koty\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\MareczekTomaszewski\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Polska\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Polska April 2005\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Polska Oct-Nov 2005\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Polska UK September2003\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\RG 81 birthday\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Rodzice\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\RosemarieGlennon\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Scanned pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Sienkiewicza 40\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\SriLanca 2002\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\Sylwester 2006\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\WiesMireKic\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\zbierane rozne Polska\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\old computers My Documents\Zdjecia\ZygaJola\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\Ashampoo AntiSpyWare 1.10\Ashampoo.AntiSpyWare.1.01.KeyGen.CiM.zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\Ashampoo AntiSpyWare 1.50\ashampoo_antispyware150_sm.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\Ashampoo PowerUp XP Platinum 2 2.2\ashampoo.powerup.xp.platinum.2.2.patch-icu.zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\Ashampoo PowerUp XP Platinum 2 2.2\Ashampoo.PowerUp.XP.Platinum.2.v2.20.keygen.zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\Ashampoo PowerUp XP Platinum 2 2.2\Ashampoo.PowerUp.XP.Platinum.2.v2.20.zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\Ashampoo PowerUp XP Platinum 2 2.2\ashampoo_powerupxp_platinum220_se.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\Ashampoo WinOptimizer Platinum 3.05\ashampoo_winoptimizerplatinum305_se.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\AVG Anti-Virus - old Ewido\avgas-setup-7.5.0.50.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\CCleaner 1.30.310\ccsetup130.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\CWShredder 2.19\cwshredder.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\Genealogy Finder 1.0\GenFinder.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\HijackThis\hijackthis.zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\IrfanView 3.98 and 3.99\iview398.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\IrfanView 3.98 and 3.99\iview399.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\Kaspersky\kav6[1].0.2.614en.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\Personal Chess Trainer 2.00.28\PCT.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\Personal Chess Trainer 2.00.28\Personal.Chess.Trainer.v2.00.28.Incl.Keymaker.EMBRACE.zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\SpywareBlaster 3.5.1\spywareblastersetup351.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\VLC Media Player\vlc-0[1].8.4a-win32.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\WinDVD Platinum 7.0 Build 27.172\WinDVD7.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\WinDVD Platinum 7.0 Build 27.172\WinDVD7kg.rar : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Moje dokumenty\PrOgRaMs\WinPatrol 9.8.1\wpsetup.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Acute Infectious Diarrhea art.htm : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\AliensFishingforHumans(OUTSTANDING).wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\APRIL 06.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\APRIL-2007.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\arrhytmia and syncopy.pdf : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\AUGUST 06.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\blunt abd trauma.pdf : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\brain injury children CT.htm : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Catalog.LiveSubscribe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Cellulitis art.htm : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Certificate.pdf : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\ConCertArticlesPDF2005outlines.zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\ConCertArticlesPDF2006outlines.zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\CoolDog.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Doctors and drug companies art.htm : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Dose of Oral Dexamethasone for Mild Croup.htm : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\EXAM\ConCert_2005-Questions.pdf : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\February 07.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\funnycats.wm : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Herpes Zoster art.htm : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\HollowMen.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\H[1].S.40.xls : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\H[1].S.40A.xls : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\JANUARY 07.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\JULY_06.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Magischer_Fahrstuhl.pps : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\mammalian bites.htm : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\MARCH 2007.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\MAY 2006.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\MAY 2007.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\NationalGeographicsPhotos2006.pps : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\NSFH MD telephones.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\peeping(1).xls : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Pełnomocnictwa wzor.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\SEPTEMBER-06.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\SPRAWNIJAKTOFACECI.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Treatment of DVT art.htm : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\window for the mother in low.mpeg : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Women early MI warning art.htm : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\CURRENT\Woomba.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\EXTRA CLEAN\ATF-Cleaner.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\EXTRA CLEAN\AVG_AntiRootkit_1.0.0.13.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\EXTRA CLEAN\RootkitRevealer.zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\EXTRA CLEAN\VundoFix.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\SIENKIEWICZA 40\AKTUALNABank-umowanajmu-wzor-1.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\SIENKIEWICZA 40\BiałystokSienkiewicza40a.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\SIENKIEWICZA 40\EnvironmentalQuestionnaire_bilingualversion.pdf : Zone.Identifier (26 bytes)
C:\Documents and Settings\Administrator\Pulpit\SIENKIEWICZA 40\umowahsb.doc : Zone.Identifier (26 bytes)
C:\Documents and Settings\All Users\Dane aplikacji\Symantec\LiveSubscribe\Catalog.LiveSubscribe : Zone.Identifier (26 bytes)
C:\Program Files\InterVideo\DVD6\Html\Images\Thumbs.db : encryptable (0 bytes)
C:\Program Files\InterVideo\DVD6\Skins\WinDVD 6\Display Subpanel\Thumbs.db : encryptable (0 bytes)


Thank you
miroslaw
  • 0

#12
Jayzeee

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts

  • 0

#13
Jayzeee

Jayzeee

    Member 1K

  • Member
  • PipPipPipPip
  • 1,238 posts

I noticed another tiny problem - I can't clean completely URL history

Make sure your browser is closed when you run cleaning programs. Try ATF Cleaner with your browser closed. If that still deosn't work:

Launch Internet Explorer
  • Go to Tools then Internet Options
  • Click on Clear History
That should clear your URL History.

Everything is looking good. We have run multiple scans which have all come back clean. I am confident there is no malware left on your computer. If your machine is still randomly crashing, I believe it is not malware related. I suggest that you post in the Windows XP Forum. The Guys there are very knowledge about diagnosing these sorts of problems.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Detect and Removal
  • Spybot Search & Destroy- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
Prevention
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#14
miroslaw

miroslaw

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
You have been so helpful - Thank you.

Re: URL history I can't clean - tools/options/cean history - it was first I tried.
All the best
m
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP