Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

porn popups NetWorm-I.Virus@fp ifriends


  • This topic is locked This topic is locked
13 replies to this topic

#1 Tarzan

Tarzan

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 20 October 2006 - 07:35 PM

OK,

So I ran an online scan using safety.live.com
then created a hijackthis log please see below;

I hope this means something to somebody because I haven't got a clue.
Thanks to anybody who is helping me!

Logfile of HijackThis v1.99.1
Scan saved at 01:28:08, on 21/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\MMediaCodec\pmsngr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Save\Save.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134672615843
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Mod Edit: This post will be moved to a more appropriate Forum.

Edited by Scarlett, 21 October 2006 - 12:58 AM.


BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:55 AM

Posted 22 October 2006 - 06:57 PM

Hi Tarzan,

Welcome to the HJT forum. :thumbsup:

I will be helping you, under the guidance of one of our expert coaches.

Please give me a little time to analyze your log. I will get back to you with instructions.

Thanks for your patience --

Dave

#3 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:55 AM

Posted 23 October 2006 - 05:25 AM

Hi again Tarzan,

Before we begin removing your malware/adware, you need to update your Java. Earlier versions have serious security vulnerabilities. Click Start, Control Panel, then double click Add/Remove Programs. When the list is populated look for any and all entries starting with J2SE or JRE with the little Java icon (a coffee cup). Remove them all, one by one. Then open your browser and go to this web page to get the latest version. Scroll dow to the middle of the page where you will find Java Runtime Environment (JRE) 5.0 Update 9. Click Download which will take you to the secure download page. At the top, select the Accept License Agreement button. Then look to the first block for the J2SE downloads for the Windows Platform. You can choose either the Online or Offline installation version; unless you have several computers you need to upgrade, I suggest the Online version.

Download the file to your desktop, then close your browser and double click the icon to begin installation. Follow the prompts to install the program. If you are prompted to reboot the computer after installation is complete, do so.

If you have trouble with the Online installation, you can download the big Offline file and install it with your browser closed.


The first step in cleaning your computer is to download a special tool and run it in diagnostic mode.


SmitfraudFix Scan

Please download SmitfraudFix. Save the .zip file to your desktop.
Right click the file icon and Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press <Enter>; a text file will appear, which lists infected files (if present).
Please save that file and copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Post the complete text of that log file in a reply to this topic.

Good luck,

Dave

#4 Tarzan

Tarzan
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 23 October 2006 - 06:39 AM

Hello Dave,

Many thanks for your attention.

If it makes a difference I can run the first search option "1" in diagnostic mode and send that, but during the weekend I actually downloaded smitfraudfix and ran the clean option "2" in safe mode which generated a report. Does it matter which one is sent?

Once again many thanks
Tarzan

#5 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:55 AM

Posted 24 October 2006 - 10:00 AM

Hi again Tarzan,

Sorry for the delay in responding.

Since you have already run Smitfraudfix option 2 in safe mode, yes, please post that log (rapport.txt) to a reply here. Don't bother to run option 1, the log you already have will contain the information we need.

I also need you to run a fresh HijackThis scan, in normal mode, and post that log as well. Then we can carry on with eliminating any remaining malware on your system.

Also please let me know how the computer is running.

Cheers,
Dave

#6 Tarzan

Tarzan
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 24 October 2006 - 03:41 PM

Hi Dave,

I ran the smitfraudfix again as per your 1st request before getting your latest message and accidentally saved over the old file, but here it is anyway.

Below this I have included the latest Hijackthis file.

I have to admit that after the first time I ran the smitfraudfix file and scanning using a couple of virus scanners a lot of the messages have stopped coming up.

I have Norton and ran a scan with that which brought up 2 virus's 1 of which could be quarantined the other Norton couldn't do anything with so I can only guess its still on my PC.

But the whole system is running slow.
I have 1G of ram and 400G of Hard drive along with an intel pentium4 3.2Ghz processor. I don't run graphics heavy processes like games so I cant understand why it takes a while to load up windows or even just firefox?

Once again Id like to thank you for all the help, if it wasn't for people like you, people like me would be up the creek.

Tarzan



SmitFraudFix v2.109

Scan done at 21:14:33.18, 24/10/2006
Run from C:\Documents and Settings\Vartan Salmasi\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Vartan Salmasi


C:\Documents and Settings\Vartan Salmasi\Application Data


Start Menu


C:\DOCUME~1\VARTAN~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End


----------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 21:08:44, on 24/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134672615843
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

#7 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:55 AM

Posted 25 October 2006 - 05:31 AM

Hi again Tarzan,

Smitfraudfix and your scanners did their jobs. Your logs are clean! :thumbsup:

I do have a few questions. First,

a lot of the messages have stopped coming up.


Does this mean you are still getting some popups? If so, what are they? Is there any indication where they are coming from?

Second, your speed issue -- do programs run slowly or is it simply that Windows and Firefox load slowly?

Third: Your log shows a Hewlett-Packard driver component as well as a couple for an Epson printer. Do you have two printers installed on this computer?

Fourth: Did you install SpyHunter on your system deliberately? This is no longer listed as a "rogue" antispyware program but it has a checkered history and is not highly regarded. For more details see here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note

I also noticed that you have Pacific Poker installed. In general, gaming sites are questionable and are often a source of infections. If you use this site and wish to keep the program, it is your option; however, if you are not using the program I suggest you remove it. I also suggest you uninstall SpyHunter and replace it with another antispyware program. To uninstall either or both of these programs, , first see if they can be removed by normal means.Click Start.
Open Control Panel.
Double click Add or Remove Programs.
Look for an entry named SpyHunter or Enigma.
If found, select it and click Remove, then click Yes to confirm.
Do the same for Pacific Poker.
Close out Control Panel.


If the program(s) are not listed in Add/Remove programs, you can remove them manually.First, start HijackThis and run a scan.
Place a check mark next to the following lines:

O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe


Then, close all windows on your desktop except for HijackThis.
Click Fix Checked .
Close HijackThis.
.

Then, reboot your computer into safe mode, and use Explorer to navigate to the following folders:

C:\Program Files\Enigma Software Group
C:\Program Files\PACIFI~1
<== folder name will start with the letters PACIFI - may not be all capital letters

Right-click the folder(s) and select Delete. Then close out the window and reboot into normal mode.


Even if you decide to keep SpyHunter, we need to scan with a different program.

Install AVG-Antispyware: Open your browser and go to This page. Read the information regarding the paid and free versions of the program, then at the bottom of the page click the orange box labeled Download Now. Save the AVG-AS setup file to your desktop. Close your browser.

Double click the AVGAS setup icon. Unless you need to change the language first, click OK, then Next.

On the License agreement screen click I Agree. Then accept the default installation folder by clicking Next.

Finally, click Install. The program will then copy files and register itself; when it tells you it is installed, click Finish.

AVG-AS 7.5 will open. On the Status screen you will see a line Last Update ! Never. On that line click Update Now.

After the program updates, you may want to change the Auto Updates options. The default is to check for updates every 60 minutes, which you may feel is excessive. Note that after the 30 day trial period, Auto Updates is disabled unless you pay for the program.

Now click the Scanner icon at the top of the window. Click the Settings tab. When that screen opens select the radio button Automatically produce a report after every scan. Uncheck the box Only if threats were found.

On the same screen, under "How to Act", click on Recommended Actions. Select Quarantine.

Leave the other settings on that screen at their defaults.

Close the program. This will save the settings changes. Do not run a scan yet.
Next, Reboot your computer into Safe Mode.


Finally, scan with AVG AntiSpyware:Double click the AVG-AS 7.5 icon on your desktop to start the program.

Click the Scan tab. When the screen opens, select Complete System Scan. This action will take some time.

When the scan is finished, scroll through the list. Except for cookies, which should be set to Delete, every item should be set to Quarantine. If this is not the case, change it.

Now click Apply All Actions. Then click Save Report. On the screen that opens, click Save Report As, and in the Report save as... window navigate to and select your Desktop. You may want to rename the report file to something such as AVGAS_scan01.txt that will make it easier to recognize.

Close the program and reboot into normal mode.
Finally, let's run a rootkit scan.

Please download F-Secure Blacklight from here: http://www.f-secure.com/blacklight/try_blacklight.html

Save the program to a folder, for example c:\black

Go to Start --> Run --> type (or copy and paste) C:\black\blbeta.exe /expert (note there is a space between "blbeta.exe" and "/") and press the OK button.

Select "I accept the agreement" and then press the Next button.

Press the Scan button.

When it is done, press the Next button and then the Exit button.

Open the c:\black folder and you will find a log. Please post the contents of that log.
Don't fix anything with BlackLight. Files found may be legitimate.

Please post the contents of the AVG-AS and blacklight logs to your next reply.

Good luck --

Dave

#8 Tarzan

Tarzan
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 25 October 2006 - 05:49 PM

Hi Dave,

Ok, to answer your questions first;

Does this mean you are still getting some popups? If so, what are they? Is there any indication where they are coming from?

There are no more pop ups which is great, I should have been clearer.

Second, your speed issue -- do programs run slowly or is it simply that Windows and Firefox load slowly?

I notice a bit of both, but mainly it takes a long time to actually load programmes up initially. I think there are a bunch of things that start up automatically which I don't really want but don't know how to control.

Third: Your log shows a Hewlett-Packard driver component as well as a couple for an Epson printer. Do you have two printers installed on this computer?

I have had two printers but I only use one now, Does it make a difference if the old one is still installed?

Fourth: Did you install SpyHunter on your system deliberately? This is no longer listed as a "rogue"

I did install SpyHunter deliberately on the back of some recommendation but I have now deleted it based on your comments. I do use Pacific Poker & would like to continue playing, is there some way of making it more secure?

Below are the logs you asked for. The first is the the AVG scan which seems to of picked up something and has quarantined it.

The second is the Black Light log. Haven't a clue what its going on about :thumbsup:



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:10:10 25/10/2006

+ Scan result:



D:\Downloaded software\FreeTVOnline_setup2.exe/Setup.exe -> Dropper.Agent.asf : Cleaned with backup (quarantined).


::Report end
----------------------------------------------------------------------------------------------

10/25/06 23:21:16 [Info]: BlackLight Engine 1.0.47 initialized
10/25/06 23:21:16 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/25/06 23:21:16 [Note]: 7019 4
10/25/06 23:21:16 [Note]: 7005 0
10/25/06 23:21:26 [Note]: 7006 0
10/25/06 23:21:26 [Note]: 7022 0
10/25/06 23:21:26 [Note]: 7011 2960
10/25/06 23:21:26 [Note]: 7026 0
10/25/06 23:21:27 [Note]: 7026 0
10/25/06 23:21:27 [Note]: FSRAW library version 1.7.1020
10/25/06 23:29:00 [Note]: 7007 0

#9 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:55 AM

Posted 26 October 2006 - 06:06 AM

Hi again Tarzan,

Are you sure that was the entire AVG Antispyware log? Usually it turns up a bunch of tracking cookies and other such stuff -- not significant necessarily but the logs are usually at least twenty or thirty lines long. It tends to be more aggressive in targeting cookies and will generally find some even if you have run another scanner recently. For example, I just ran Ad-Aware and it found nothing. Then I ran AVG-AS and it turned up 17 tracking cookies. (This is from two days of computer use BTW -- my most recent previous scan was Oct. 23.) I also notice that the only item in your log is on the D:\ drive (or partition). Nothing is showing for C:\, which is where the tracking cookies (and active malware, if any) would be found. So, sorry but I have to ask, are you sure the program was configured as instructed, and did a full system scan?

That one item found is a piece of "freeware" that came bundled with spyware -- a very common occurrence. If you had installed it you also would have activated the spyware.

If you are sure that AVG-AS log is complete and that it checked your entire system, then on the basis of your reports I am ready to declare your computer clean.

Please get back to me with your answer, and we can do some final housekeeping and I'll give you some pointers on streamlining and protecting your system.

Cheers,

Dave

#10 Tarzan

Tarzan
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 29 October 2006 - 01:04 PM

Hi Dave,

Sorry for the delay.

I generally delete all cookies after each use of the web so that might be why there was nothing. Anyway I ran another scan in safe mode and another in normal, below are the logs, the fisrt was in Safe Mode.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:07:44 29/10/2006

+ Scan result:



Nothing found.


::Report end




The one below is in Normal mode

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:37:50 29/10/2006

+ Scan result:



:mozilla.10:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.23:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.47:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.48:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.49:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.60:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.61:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.62:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.63:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.64:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.68:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.52:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.53:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.54:C:\Documents and Settings\Vartan Salmasi\Application Data\Mozilla\Firefox\Profiles\yirsf5is.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end


I have created an excel file of the processes that are running that I would like you to look at. There seems to be lots of them especially something called svchost.exe. I don't know how to attache files to this post, can I email you them?
Is it neccessary that all of these are running? could they be the reason why my system is slow?

Thanks again
Tarz.

#11 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:55 AM

Posted 30 October 2006 - 09:58 AM

Hi again Tarzan,

Thanks for getting back to me. Your AVG-AS logs and your previous Blacklight log confirm that your system is now clean.

To answer a question you asked before, the Blacklight log was a check for a particularly nasty kind of malware called a rootkit. These things often leave no visible traces in a HijackThis log, so when a user complains of slow performance on a clean computer we have to run a rootkit scan to rule this out.

We need to do a little housekeeping. First, let's get rid of temporary files and folders:

Get ATF Cleaner here. It does not require installation, just download it to your desktop.
Double-click the ATFCleaner icon on your desktop to launch the program. For this first run, check the select all box on the main page, then click Empty selected. Then, if you use Firefox or Opera, click on the appropriate tab and repeat the same drill.


Next, we need to delete all your restore points by disabling then re-enabling System Restore with a reboot in between.

For this I refer you to this BC tutorial:

http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

This will prevent reinfection in case you have to do a system restore at some time in the future.


Finally, you should also take a look at this excellent overview of internet security:

http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

This tutorial includes recommendations for free antispyware programs to replace the one you removed earlier. You should also keep AVG-AS on your system and scan with it once in a while.


As far as protecting yourself on your poker site, I recommend you not click on any advertising links anywhere, but this goes double on a gaming site. Also read the license agreement carefully before you download anything. Be especially wary of "sponsor programs" or anything promising bonus points or extra features. A lot of adware/spyware relies on the inattention of users. Free stuff often is not really free.


Finally, regarding your performance question, I have to say first that this forum is specifically dedicated to eliminating malware from infected computers. I also have to admit that I'm no expert on performance questions. However, as a general rule a lot of processes will slow down a computer. Some use more resources than others, the worst being tagged with the epithet "resource hogs." Since you already have a startup list, I'd suggest you begin by checking it against the BC list found here:

http://www.bleepingcomputer.com/startups/

There is also a forum dedicated to it here:

http://www.bleepingcomputer.com/forums/f/85/windows-startup-programs-database/

One suggestion I will make -- if you want to disable a startup, don't use msconfig for this purpose. Instead, check the help files for the program and change the program's settings in that way. For Windows XP's own processes, you can control them through the Control Panel/Administrative Tools/Services panel. Just be careful what you disable. Make sure you understand exactly what a process does before you decide to do without it. You can render a computer unbootable by disabling a vital process.

Multiple instances of svchost.exe are perfectly normal. This is a Windows program that manages various services on your system, and if you have many services you are likely to have several instances of the program. You have a lot of services (O23s in HijackThis).

For further guidance on this topic I would refer you to our BC Windows XP forum, as well as the startup forum. I have learned a lot from them since I joined. One great resource on offer at the XP forum is the Windows XP Tweak Guide -- a pinned topic at the top of the page. If you really want to get into computer optimizing, that guide is must read material. If you have specific questions about your own programs you should post them on the relevant forum, where you can get input from a number of real experts. In describing your concerns you shoudl mention that you have already been helped here and are now malware-free.

Good luck, and happy computing -- :thumbsup:

Dave

#12 Tarzan

Tarzan
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 30 October 2006 - 04:20 PM

Hi Dave,

I'd just like to say thanks! I'm really grateful for all the help.

:thumbsup:

Tarzan!

#13 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:55 AM

Posted 30 October 2006 - 05:17 PM

You're welcome Tarzan. Good job getting rid of your malware BTW -- :thumbsup:

Regards from Tennessee,

Dave :flowers:

#14 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:55 AM

Posted 08 November 2006 - 07:53 PM

Since this toipc appears to be resolved, it is now closed. If you want it re-opened, please PM a moderator and put the url in your request. This applies to the original poster only. Everyone else please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users