Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was Infected With Smitfraud But Fixed It


  • This topic is locked This topic is locked
10 replies to this topic

#1 AznSnzation

AznSnzation

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 30 July 2006 - 01:13 PM

Hi there,

I was infected yesterday but found a fix and cleaned it up. But, unfortunately, my computer is running noticeably slower. Can anyone help me? Thanks! Here is my hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 11:11:34 AM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.imdb.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C562CB3-575E-428F-9F68-2BAB7E2BD2E4}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C81BE41-1A6D-4CFB-B1AA-DEEE2AD8CB1D}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{233CC795-84F7-4473-A8EE-DE8AB3321C0A}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{566B2F3C-ED37-4E49-B40D-12A813DBAC88}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{5883F9B9-05BA-4B6C-8BCA-ACF9B48215A7}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBF46-24D4-44B6-99FD-BE17424D34F0}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD8DDAD8-DD14-42B3-A3CF-4F1AAEF241D1}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thank you in advance!
=)

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:35 PM

Posted 30 July 2006 - 01:17 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 AznSnzation

AznSnzation
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 30 July 2006 - 03:41 PM

Hi Sam,

First of all, thanks so much for helping me out and replying to me so quickly. I really appreciate it.

Secondly, I ran FixWareout like you said and here is my report...


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AC69B2331C98-8DF8-8584-F737-3B3C25C3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4A781E309E4E-ECC9-A8B4-E056-855DDC8D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D71FEC6C7B18-0C78-4F74-70B5-92EB72B1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C7633F3859F3-9629-9BE4-C899-DEAF5306{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4D5DA59B3342-B129-EC64-3D22-17821232{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}382F571C8F88-3B8A-FCC4-1A59-37F014D5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7FF94816F9F5-6BF8-D534-A6A4-549D98A5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ppjmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

Search by size and names...

Misc files

Checking for older varients covered by the Rem3 tool


Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32
{5D410F73-95A1-4CCF-A8B3-88F8C175F283}.exe
{23212871-22D3-46CE-921B-2433B95AD5D4}.exe
{6035FAED-998C-4EB9-9269-3F9583F3367C}.exe
{1B27BE29-5B07-47F4-87C0-81B7C6CEF17D}.exe
{D8CDD558-650E-4B8A-9CCE-E4E903E187A4}.exe



By the way, after I rebooted and FixWareout was running, it gave me the choice to Close or Ignore applications. I chose "Close" a bunch of times for what seemed to be the same application.


Anyways, here are the results of my new HijackThis log...


Logfile of HijackThis v1.99.1
Scan saved at 1:38:45 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.imdb.com/
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dmxqc.exe] C:\WINDOWS\system32\dmxqc.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C562CB3-575E-428F-9F68-2BAB7E2BD2E4}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C81BE41-1A6D-4CFB-B1AA-DEEE2AD8CB1D}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{233CC795-84F7-4473-A8EE-DE8AB3321C0A}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{566B2F3C-ED37-4E49-B40D-12A813DBAC88}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{5883F9B9-05BA-4B6C-8BCA-ACF9B48215A7}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBF46-24D4-44B6-99FD-BE17424D34F0}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD8DDAD8-DD14-42B3-A3CF-4F1AAEF241D1}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thanks again, Sam!
=)

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:35 PM

Posted 30 July 2006 - 10:05 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKLM\..\Run: [dmxqc.exe] C:\WINDOWS\system32\dmxqc.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C562CB3-575E-428F-9F68-2BAB7E2BD2E4}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C81BE41-1A6D-4CFB-B1AA-DEEE2AD8CB1D}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{233CC795-84F7-4473-A8EE-DE8AB3321C0A}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{566B2F3C-ED37-4E49-B40D-12A813DBAC88}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{5883F9B9-05BA-4B6C-8BCA-ACF9B48215A7}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBF46-24D4-44B6-99FD-BE17424D34F0}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD8DDAD8-DD14-42B3-A3CF-4F1AAEF241D1}: NameServer = 85.255.115.58,85.255.112.116
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116



===========================


Now lets check some settings on your system.
  • Enter your Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties
  • Double-Click on the Internet Protocol (TCP/IP) item
  • Select the radio dial that says Obtain DNS Servers Automatically
  • Press OK twice to get out of the properties screen and reboot if it asks
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)



============================


Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido scan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 AznSnzation

AznSnzation
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 31 July 2006 - 12:21 AM

Hi Sam,

So I followed your instructions and here are my new logs...

Logfile of HijackThis v1.99.1
Scan saved at 10:14:55 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.imdb.com/
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e w i d o a n t i - s p y w a r e - S c a n R e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



+ C r e a t e d a t : 8 : 3 9 : 2 1 P M 7 / 3 0 / 2 0 0 6



+ S c a n r e s u l t :







N o t h i n g f o u n d .





: : R e p o r t e n d



There were a lot of things that Ewido caught. I "Applied All Actions" to those so I'm not sure why the report says that nothing was found.

Also, there still is a lot of junk in my Recycle Bin that I feel is virus-related. I don't want to delete what's in there yet though.

Anyways, thanks for the help thus far. Let me know what's next... =)

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:35 PM

Posted 31 July 2006 - 07:49 AM

Your log is clean! :thumbsup:

But I do see one serious issue. There are signs of Norton in your log, but it's not running, which means that you have no virus protection right now. If you've uninstalled Norton and those are leftovers, let me know. I can help you get rid of them.

But we need to get an antivirus installed ASAP. AVG is an excellent free antivirus program that I highly recommend.

http://free.grisoft.com/doc/2/lng/us/tpl/v5


Let me know about Norton and also of any problems that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 AznSnzation

AznSnzation
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 01 August 2006 - 12:39 AM

Hey Sam!

Wow, thanks for the help! I'm glad that my log is now clean thanks to you. You're awesome... =)

Anyways, I installed the AVG like you said and I think that the Norton in my log was because this computer used to have it but it was probably uninstalled... I think. I'm not quite sure because this computer was a hand-me-down. I do have AdAware, HijackThis (as you know), and Spybot... although I think it's acting weird and not scanning properly (like too slowly).

Also I do have one more problem... there are folders and files in my Recycle Bin that I feel are virus-related. A lot of junk in there. I think that if I start deleting them in the traditional way, they'll re-install the viruses onto my computer. How do I get rid of them? Is there a program out there? I've heard of KillBox maybe? (or maybe that's not the right one I don't know).

But cool, thanks for getting me this far! I feel like my computer's almost there... =)

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:35 PM

Posted 01 August 2006 - 12:54 PM

Your can just right click and empty the recycle bin yourself. Or you can use a program that will remove all temp and junk files from several locations at one.


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



================


Let's get rid of the leftover piece of Norton.

Click Start > Run and type these commands hitting enter after each one:

sc stop SNDSrvc

sc delete SNDSrvc

sc stop SymWSC

sc delete SymWSC



===============


Reboot and post one last hijackthis log for me to review. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 AznSnzation

AznSnzation
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 02 August 2006 - 01:37 AM

Hey Sam,

Awesome! I think everything is all-good as of now. Thanks so much for all your great help... =)

Anyways, here is my HijackThis log after getting rid of the Norton leftovers and using ATF...


Logfile of HijackThis v1.99.1
Scan saved at 11:26:37 PM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.imdb.com/
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


Let me know if all is well, but I think my computer is clean thanks to you... =)

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:35 PM

Posted 02 August 2006 - 04:37 PM

There's no doubt, that's a clean log. The only thing that concerns me is the lack of startup items - 04 lines. There are certain programs, like your antivirus, that you need to start up automatically when your boot up your computer. Are you controlling these with msconfig?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:35 PM

Posted 19 August 2006 - 08:53 PM

This topic has been closed due to a lack of response. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users