Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Adware/spyware


  • This topic is locked This topic is locked
14 replies to this topic

#1 Samwhich

Samwhich

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Travelling
  • Local time:07:33 PM

Posted 11 June 2006 - 04:21 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:11:14 PM, on 6/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sammy\Desktop\HijackThis.exe

O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

BC AdBot (Login to Remove)

 


m

#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:33 AM

Posted 11 June 2006 - 02:10 PM

Hello and Welcome to BC. :thumbsup:

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. Click here to see how. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.



Please post the rapport.txt and a fresh HijackThis log.



IMPORTANT: Do NOT run any other options until you are asked to do so!

#3 Samwhich

Samwhich
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Travelling
  • Local time:07:33 PM

Posted 11 June 2006 - 07:14 PM

SmitFraudFix v2.58

Scan done at 10:03:50.39, Mon 06/12/2006
Run from C:\Documents and Settings\Sammy\Desktop\Spyware attack\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Sammy\Application Data


Start Menu


C:\DOCUME~1\SAMMY\FAVORI~1

C:\DOCUME~1\SAMMY\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End



Logfile of HijackThis v1.99.1
Scan saved at 10:11:06 AM, on 6/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\atmclk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sammy\Desktop\HijackThis.exe

O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp101.tmp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:33 AM

Posted 11 June 2006 - 07:25 PM

Hello Samwhich, :thumbsup:

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.


Please download Ccleaner and save it to your desktop.

Tutorial for CCleaner

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it

=====================================

Download and install Ewido Anti-Malware

During the installation, uncheck the following under Additional Options:

Install background guard

Install scan via context menu


Check for updates but do not run it yet.

Note: If you have problems with the updater, you can manually update Ewido.

Download ewido-signatures-full-current.exe from here and save to your Desktop.

All you need to do then is to double-click it, click Install and then when it has finished, Close.

======================================

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
================================
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
===========================================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.

If you have more than one users, run Ccleaner for every user

===========================================

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido and Reboot in Normal Mode.

===========================================

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #3 - Delete Trusted zone by typing 3 and press Enter.

Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

===========================================

Please post:
  • c:\rapport.txt
  • Ewido log
  • A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.

Edited by amateur, 11 June 2006 - 07:29 PM.


#5 Samwhich

Samwhich
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Travelling
  • Local time:07:33 PM

Posted 11 June 2006 - 10:48 PM

Lookin better already!!! That Ewido is very thorough aye!


SmitFraudFix v2.58

Scan done at 12:06:23.48, Mon 06/12/2006
Run from C:\Documents and Settings\Sammy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Deleting infected files


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End





---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:25:03 PM, 6/12/2006
+ Report-Checksum: A6D1DDC2

+ Scan result:

C:\Documents and Settings\Sammy\order_vajk.exe -> Logger.Banker.atw : Cleaned with backup
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP87\A0008963.exe -> Downloader.Zlob.ry : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 1:39:34 PM, on 6/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Documents and Settings\Sammy\Desktop\Twelve June spywar\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Documents and Settings\Sammy\Desktop\HijackThis.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Sammy\Desktop\Twelve June spywar\ewido anti-malware\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:33 AM

Posted 12 June 2006 - 05:54 AM

Please do the following:

Place HijackThis in a folder of its own so that it can house its backups. Right click on an empty space on your desktop. Go to New>Folder to create a new folder. Name the Folder HijackThis. Drag and drop the HijackThis.exe into this new folder.

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post. Let me know how the computer is running now.


#7 Samwhich

Samwhich
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Travelling
  • Local time:07:33 PM

Posted 12 June 2006 - 10:02 AM

it wont save as a log, only as a HTML file. with explorer symbol. The results show 4 viruses found and 12 infected files? My trend internet security picked up 2 which I deleted.

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:33 AM

Posted 12 June 2006 - 10:11 AM

it wont save as a log,

That's odd. Never had that problem before. Let's try another online scanner. I need to see the log.

Run an online scan at Panda's ActiveScan
  • Please go here and perform a full system scan. (use Internet Explorer)
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the big Check Now button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your Valid Email and click send.
  • Select either Home User or Company.
  • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • Click on Local Disks to start the scan.
  • Once finished, click see report, then click Save report.
NOTE: Please ignore any entry it finds and the offer to buy the program to remove the entry.

#9 Samwhich

Samwhich
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Travelling
  • Local time:07:33 PM

Posted 12 June 2006 - 11:53 AM

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sammy\My Documents\Spyware removal\Spyware attack\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sammy\My Documents\Spyware removal\Spyware attack\SmitfraudFix\Process.exe

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:33 AM

Posted 12 June 2006 - 01:18 PM

Hi Samwhich,

You can go ahead and delete the Smitfraudfix now. Using Windows Explorer (right click on Start, click on Explore) navigate to the following file and delete it please.

C:\Documents and Settings\Sammy\My Documents\Spyware removal\Spyware attack\SmitfraudFix.zip.

I don't know what else you have in the Spyware attack folder. If you only have the Smitfraudfix folder and nothing else that you would like to keep. You can go ahead and delete that folder instead.

Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days that is why we are not installing the guard so it will not interfere with the cleanup or the malware removal process. You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan.

Ccleaner is a useful tool to keep your computer free of cookies and temporary files if you use it on a regular basis. Just remember not to use the issues tab.

Your log is clean, but it looks a little too short on the startup items. I just want to make sure that nothing which could potentially be harmful is disabled from the startup. If you did disable anything, please re-enable them, reboot, and post a fresh HijackThis log. Otherwise, let me know and we can go ahaead and secure your computer.

#11 Samwhich

Samwhich
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Travelling
  • Local time:07:33 PM

Posted 12 June 2006 - 06:23 PM

Is it possible the lack of start up items could be due to the reboot process options chosen when changing back from safe to normal mode?

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:33 AM

Posted 12 June 2006 - 07:36 PM

Changing from Safe Mode to Normal Mode would not reduce the number of startup items. You would see less of them if the HijackThis log was taken from Safe Mode. I was merely asking if you've disabled anything. If you didn't, that's fine. It means that you have only MSN messenger and the services loading up at the start. How is the computer running now?

#13 Samwhich

Samwhich
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Travelling
  • Local time:07:33 PM

Posted 12 June 2006 - 07:41 PM

Seems to be ok. Should I be concerned with the results of that search I couldnt post a log of? (4 viruses and 12 infected files)

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:33 AM

Posted 12 June 2006 - 07:48 PM

Panda results came out clean. I wouldn't worry. If you want to rest your mind, we can go ahead and have another online scan.

Please download Dr.Web CureIt to the desktop.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Post the DrWeb-log and a new HijackThis-log in this topic.


#15 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:33 AM

Posted 16 June 2006 - 06:39 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please PM me or a staff member with the address of the thread, and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users