Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Time For Another Cleaning


  • Please log in to reply
27 replies to this topic

#1 fritzle

fritzle

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 29 September 2008 - 07:43 PM

So Ive noticed my internet has been slow and doing some weird things lately, so I figure its time to get it cleaned up again.
Here is my hijackthis log....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:57 PM, on 10/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PnkBstrB.exe
E:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\system32\MsPMSPSv.exe
E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\Program Files\QuickTime\QTTask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\LanExpress\WlanASIL\Utility\WlanASIL.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
E:\Program Files\SEC\MagicTune3.6\GammaTray.exe
E:\Program Files\SEC\Natural Color Pro\NCProTray.exe
E:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
E:\Program Files\SEC\MagicTune3.6\MagicTune.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
E:\Program Files\Verizon Wireless\V CAST Music Manager\MusicExpress.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "E:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WlanUtil_ASIL] "E:\Program Files\LanExpress\WlanASIL\Utility\WlanASIL.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [googletalk] "E:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: MEMonitor.lnk = E:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: WinCinema Manager.lnk = E:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - E:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - E:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 8318 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:47 PM

Posted 08 October 2008 - 08:36 AM

Hello fritzle,

Welcome back to Bleeping Computer :)

Sorry about the delay.:thumbsup:

I don't see anything malicious in your log, so have a look here : http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 10 October 2008 - 07:36 PM

Thanks for replying Teacup, and the delay was no big deal. I forgot to mention that everytime I turn my computer on, my antivirus tells me that I have a virus in quarantine, I think its called BAT.Trojan, If i remember correctly. I don't know if its messing with my system if its in quarantine, but its kind of annoying that it pops up everytime I turn my computer on. Is there anything I can do for this?
Also I will be sure follow some of the suggestions in the link that you posted.
Thanks,
Frit

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:47 PM

Posted 11 October 2008 - 12:25 AM

Hello,

Do you know which quarantine? If so, then empty it. It's not any threat from there. If not, can you tell me exactly what the message is? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 19 October 2008 - 03:39 PM

Sorry it took so long. But, when I turn my computer on a Symantec AntiVirus Repair Wizard window pops up and tells me I have something in quarantine and to click next to see if I can repair it. It can never repair it so it just leaves it in quarantine and says it will cause no further damage.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:47 PM

Posted 02 November 2008 - 07:29 PM

Hello,

I apologize for my delayed reply. Are you still having the same problems? If so, let's have a scan with this :

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 03 November 2008 - 09:00 PM

Its okay, and yes, I have still been having problems, just not as bad since I defragmented and uninstalled some programs. Here is my first log...


Malwarebytes' Anti-Malware 1.30
Database version: 1361
Windows 5.1.2600 Service Pack 2

11/3/2008 8:53:25 PM
mbam-log-2008-11-03 (20-53-25).txt

Scan type: Quick Scan
Objects scanned: 47498
Time elapsed: 8 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{02910a3c-5d77-4a3e-8a13-fdf81ac7fecd} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0485b9a3-61d4-40a9-82ee-5b8b6bd51a58} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{29143580-a3e7-4afb-a8ef-b88f3b56c5a3} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3eb2d5e5-ab7c-46db-950e-878cf812aa1c} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5caeb087-af31-494d-842d-39cf1c7adade} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5df8c005-6e2e-4bd6-a765-304a8e550ece} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{60659361-1c5f-4fa7-aeb0-f39df2547122} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6a97a178-3e84-45af-8f28-982c22e9a49d} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7d9351b3-4ebe-4f8f-981e-9af90ba99f54} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7e22e1d0-5af8-4fb8-a635-bd31b3308c71} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{821a05ed-bb06-4444-a1e0-f0ab21ff626d} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{886bacae-e094-4bde-912e-99c3a3ddd122} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8f290589-db12-447f-8f38-d24653ce9f13} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bad16ee0-5134-4dc2-bd33-46a557c93d36} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec6671fe-7062-4f26-8383-4b887c4cb50b} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fc8db863-22bc-4382-ac7a-96fabfd95bb8} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e9d2f33-4585-4404-aa57-15b2b03707f4} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\WINDOWS\system32\gq2AYgwR.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.


And my hijack this log..,


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:59 PM, on 11/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PnkBstrB.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\system32\MsPMSPSv.exe
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\LanExpress\WlanASIL\Utility\WlanASIL.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\SEC\MagicTune3.6\GammaTray.exe
E:\Program Files\SEC\Natural Color Pro\NCProTray.exe
E:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SEC\MagicTune3.6\MagicTune.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Verizon Wireless\V CAST Music Manager\MusicExpress.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "E:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WlanUtil_ASIL] "E:\Program Files\LanExpress\WlanASIL\Utility\WlanASIL.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: MEMonitor.lnk = E:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - E:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7408 bytes


Good luck :thumbsup: ,
Frit

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:47 PM

Posted 03 November 2008 - 09:18 PM

Hi there,

And :) right back atcha! :thumbsup: Are you getting the same message on startup still? That HijackThis log looks pretty good, so I have to rely on the other scans we do, and your description. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 04 November 2008 - 08:56 PM

Hellooo, thanks for the fast reply :thumbsup:, and yes I am still getting the same antivirus message every time I start up.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:47 PM

Posted 04 November 2008 - 09:00 PM

Hi,

Before I have you empty Norton's quarantine I want to be sure nothing is left lurking, so let's run this bad boy first:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 04 November 2008 - 09:12 PM

When I was trying to run Combo Fix, a message popped up titled Symantec AntiVirus Notification, I copied what it said...

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: BAT.Trojan
File: E:\ComboFix\CFCleanUp.bat
Location: E:\ComboFix
Computer: FRIT
User: Jake
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Tuesday, November 04, 2008 9:03:46 PM


Then a few seconds later another window popped up titled "Spywareguard Browser Protection Alert!" and it says

"An attempt to change internet explorer settings has been detected."
"WARNING! Your IE homepage has been changed!"
"Your internet Explorer local machine homepage has been changed from http://www.msn.com/ to about:blank"
Then it asks What i would like to do, restore old value or keep new value.

Since it appears that you are online, I will wait and see what you have to say about them before I do anything, and I believe that I have seen these two things before.

#12 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 04 November 2008 - 09:14 PM

And now my computer is wigging out and my desktop icons and the bar at the bottom of the screen is gone! :thumbsup:

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:47 PM

Posted 04 November 2008 - 10:06 PM

Well that's Norton interfering. ComboFix is doing what it's supposed to be doing with those temporary changes. Go offline and disable all your protective programs and run it again. Don't touch anything, just let it run. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 fritzle

fritzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 05 November 2008 - 03:34 PM

Actually I didn't even start ComboFix, all of that started happening. So I just wrote to you and let it be, but I had to go before I got a message back and I turned off my computer for the night and everything is back to normal for now. So should I just go ahead and run ComboFix like you said?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:47 PM

Posted 05 November 2008 - 03:41 PM

Yes, please. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users