Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis


  • This topic is locked This topic is locked
16 replies to this topic

#1 fritzle

fritzle

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 16 July 2007 - 11:57 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:12 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\MsPMSPSv.exe
E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
E:\Program Files\SEC\MagicTune3.6\GammaTray.exe
E:\Program Files\SEC\Natural Color Pro\NCProTray.exe
E:\Program Files\SEC\MagicTune3.6\MagicTune.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\Video ActiveX Access\iesmn.exe
E:\Program Files\Video ActiveX Access\imsmain.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\imsmn.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Symantec AntiVirus\VPC32.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Video ActiveX Access\iesmin.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E26CEADA-67B0-4543-BE8B-307F00265118} - E:\Program Files\Video ActiveX Access\iesplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - E:\Program Files\Video ActiveX Access\iesbpl.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "E:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [wuff01] ltbeza.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [wuff01] ltbeza.exe
O4 - HKLM\..\RunOnce: [LogiSPSetupNeedReboot] rundll32.exe
O4 - HKCU\..\Run: [googletalk] "E:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] E:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] E:\Program Files\Video ActiveX Access\imsmain.exe
O4 - Startup: MP3 Rocket (silent).lnk = E:\Program Files\MP3 Rocket\MP3Rocket_on_startup.exe
O4 - Global Startup: WinCinema Manager.lnk = E:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: discommodiousness - {33b8d257-07f6-4c06-8605-94bc21728635} - E:\WINDOWS\system32\onljweo.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - E:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7904 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 PM

Posted 17 July 2007 - 05:48 PM

Hello fritzle,

Please download SmitfraudFix

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Edited by SifuMike, 17 July 2007 - 06:02 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 17 July 2007 - 10:31 PM

Okay, thank you very much... I will do this when my virus scan is done, which has been going for over 24 hours now :thumbsup: .... Its been scanning a set of data or something that all start with "rashad". It will scan the same file for about ten minutes, then move onto something else that starts with "rashad". It has been scanning these same files for almost the whole 24 hours, any idea what it is?

Thanks again,
Frit

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 PM

Posted 17 July 2007 - 10:39 PM

Hi Frit,

Nope, no idea. Many viruses have random names and this may be one of them.

If you find it is taking too long to do the virus scan of all the files, write down the complete file path of one of the files and stop the virus scan. .

Then submit the file to Jotti Online File Scanner copy and paste c:\windows32\badfilename to the upload and scan it.

Of course, this is only a scan for one file, not the entire computer.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 20 July 2007 - 04:42 PM

I didnt get a text file on screen when i restarted my computer... but I did get this after i used smitfraud in safemode......


Scan done at 15:32:51.75, Fri 07/20/2007
Run from E:\Documents and Settings\Jake\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{33b8d257-07f6-4c06-8605-94bc21728635}"="discommodiousness"

[HKEY_CLASSES_ROOT\CLSID\{33b8d257-07f6-4c06-8605-94bc21728635}\InProcServer32]
@="E:\WINDOWS\system32\onljweo.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{33b8d257-07f6-4c06-8605-94bc21728635}\InProcServer32]
@="E:\WINDOWS\system32\onljweo.dll"


Killing process


hosts


127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

E:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
E:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
E:\DOCUME~1\Jake\INCOMP~1\FAVORI~1\Online Security Test.url Deleted

DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C126789A-9F46-46AC-9B75-5A1B3FD68C25}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EA7506D5-C969-431E-B2E1-915F5811BE64}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C126789A-9F46-46AC-9B75-5A1B3FD68C25}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EA7506D5-C969-431E-B2E1-915F5811BE64}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C126789A-9F46-46AC-9B75-5A1B3FD68C25}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EA7506D5-C969-431E-B2E1-915F5811BE64}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End






Heres my new Hijackthis log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:16 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\MsPMSPSv.exe
E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
E:\WINDOWS\system32\wscntfy.exe
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Google\Google Talk\googletalk.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
E:\Program Files\SEC\MagicTune3.6\GammaTray.exe
E:\Program Files\SEC\Natural Color Pro\NCProTray.exe
E:\Program Files\SEC\MagicTune3.6\MagicTune.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "E:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [wuff01] ltbeza.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [wuff01] ltbeza.exe
O4 - HKCU\..\Run: [googletalk] "E:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MP3 Rocket (silent).lnk = E:\Program Files\MP3 Rocket\MP3Rocket_on_startup.exe
O4 - Global Startup: WinCinema Manager.lnk = E:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - E:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 6204 bytes

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 PM

Posted 20 July 2007 - 05:08 PM

Hi fritzle,

Looks like SmitfraudFix remove most of your infection, but we still have more to claen.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it. How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Download CCleaner and install it. (default location is best). Do not run it yet!


After we are done using Hijackthis you can enable Teatimer.


CCleaner Tutorial


*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O4 - HKLM\..\Run: [wuff01] ltbeza.exe
O4 - HKLM\..\RunServices: [wuff01] ltbeza.exe
O4 - Startup: MP3 Rocket (silent).lnk = E:\Program Files\MP3 Rocket\MP3Rocket_on_startup.exe



*******************************************


Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    E:\WINDOWS\system32\ltbeza.exe
    E:\Program Files\MP3 Rocket\MP3Rocket_on_startup.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer.


Post the OTmoveIt log, a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 20 July 2007 - 06:09 PM

File/Folder E:\WINDOWS\system32\ltbeza.exe not found.
E:\Program Files\MP3 Rocket\MP3Rocket_on_startup.exe moved successfully.

Created on 07/20/2007 16:53:11


OTmoveIT log^^


I have not used CC cleaner yet. I did everything in the Windows tab, but when I go to the applications tab, I have many categories to clean things from. Most of them are not mentioned in your last post, and I don't want to screw up my computer. I took a screenshot of what it shows me... but I do not know how to make the picture small enough so that I can upload it... Could you please help me?

Thanks,
Frit

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 PM

Posted 20 July 2007 - 06:19 PM

I have not used CC cleaner yet. I did everything in the Windows tab, but when I go to the applications tab, I have many categories to clean things from.


Just bypass the Applications tab.


Please do a search on ltbeza.exe to see the location, and post what you find.
It may not by in System32 folder.

Edited by SifuMike, 20 July 2007 - 06:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 20 July 2007 - 07:09 PM

Ok, CCleaner is done... but how and where do I do a search on Itbeza.exe?

Sorry for the hassle,
Frit

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 PM

Posted 20 July 2007 - 07:14 PM

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Start> Search> files and folder > All files and Folder > make sure you look in E: drive.

put ltbeza.exe in the file box. select Search.

Let me know what it finds.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 20 July 2007 - 07:30 PM

It says "Search is complete. There are no results to display"

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 PM

Posted 20 July 2007 - 09:00 PM

Hi Frit,

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 20 July 2007 - 11:02 PM

Combofix....

"Jake" - 2007-07-20 23:43:05 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\DOCUME~1\Jake\Desktop\internet.lnk


((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))


2007-07-20 23:41 51,200 --a------ E:\WINDOWS\nircmd.exe
2007-07-20 18:06 <DIR> d-------- E:\WINDOWS\LastGood
2007-07-20 16:46 <DIR> d-------- E:\Program Files\CCleaner
2007-07-20 15:51 <DIR> d-------- E:\WINDOWS\system32\PreInstall
2007-07-20 15:50 <DIR> d--h----- E:\WINDOWS\$hf_mig$
2007-07-20 15:32 996 --a------ E:\WINDOWS\system32\tmp.reg
2007-07-17 21:22 53,248 --a------ E:\WINDOWS\system32\Process.exe
2007-07-17 21:22 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2007-07-17 21:22 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2007-07-16 22:44 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-16 22:26 <DIR> d-------- E:\Program Files\Trend Micro
2007-07-16 21:40 <DIR> d-a------ E:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-28 19:17 <DIR> d-------- E:\DOCUME~1\Jake\APPLIC~1\CyberLink
2007-06-28 19:10 <DIR> d--hs---- E:\WINDOWS\ftpcache
2007-06-28 19:10 <DIR> d-------- E:\DOCUME~1\Jake\APPLIC~1\Logitech
2007-06-28 19:08 25,088 --a------ E:\WINDOWS\system32\msxml3a.dll
2007-06-28 19:07 <DIR> d-------- E:\Program Files\CyberLink
2007-06-28 19:06 <DIR> d-------- E:\Program Files\Logitech


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-21 00:04:11 -------- d-----w E:\Program Files\Symantec AntiVirus
2007-07-20 23:37:48 -------- d-----w E:\Program Files\Messenger
2007-07-17 04:11:51 -------- d--h--w E:\Program Files\InstallShield Installation Information
2007-07-12 20:41:55 -------- d-----w E:\DOCUME~1\Jake\APPLIC~1\MP3Rocket
2007-06-21 18:17:27 -------- d-----w E:\Program Files\MP3 Rocket
2007-05-21 22:35:37 -------- d-----w E:\Program Files\Warcraft III
2007-05-21 21:22:13 21,847 ----a-w E:\WINDOWS\War3Unin.dat
2007-05-16 15:12:02 683,520 ----a-w E:\WINDOWS\system32\inetcomm.dll
2007-05-08 01:28:27 108,144 ----a-w E:\WINDOWS\system32\CmdLineExt.dll
2007-04-25 14:21:15 144,896 ----a-w E:\WINDOWS\system32\schannel.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 21:38 63128 --a------ E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2006-02-14 22:05 1191424 -ra------ e:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="E:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 17:18]
"CTSysVol"="E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 12:43]
"VTTrayp"="VTtrayp.exe" [2005-03-11 03:33 E:\WINDOWS\system32\VTTrayp.exe]
"P17Helper"="P17.dll" [2005-05-03 21:38 E:\WINDOWS\system32\P17.dll]
"ATICCC"="E:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2006-09-01 17:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="E:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 15:22]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Jake^Start Menu^Programs^Startup^MP3 Rocket (silent).lnk]
path=E:\Documents and Settings\Jake\Start Menu\Programs\Startup\MP3 Rocket (silent).lnk
backup=E:\WINDOWS\pss\MP3 Rocket (silent).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
E:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"E:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"E:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
E:\Program Files\Common Files\AOL\1138808937\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
E:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet


Contents of the 'Scheduled Tasks' folder
2007-07-13 00:45:01 E:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-20 23:45:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0



Hijackthis....


ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:02 AM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\system32\MsPMSPSv.exe
E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\Google\Google Talk\googletalk.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
E:\Program Files\SEC\MagicTune3.6\GammaTray.exe
E:\Program Files\SEC\Natural Color Pro\NCProTray.exe
E:\Program Files\SEC\MagicTune3.6\MagicTune.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "E:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [googletalk] "E:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WinCinema Manager.lnk = E:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - E:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 5932 bytes

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 PM

Posted 20 July 2007 - 11:53 PM

Hi frit,

Your log looks clean! :thumbsup: Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.




Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 21 July 2007 - 12:14 AM

Thank you very much for all of the help!!!!! My computer is running faster than it was before it got infected and everything is great.

Thanks again,
Frit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users