Tech Support Forum banner
Cancel

Removed "antivermin" please verify my logs are clean

Jump to Latest Follow
Status
Not open for further replies.
1 - 6 of 6 Posts
B

· Registered
Joined
·
10 Posts
Discussion Starter · #1 ·
I have just followed the steps posted by "tetonbob" and removed "antivermin". Just hoping someone could review my Logs to ensure that everything is indeed clean. AVG was clean and attached is my Clean Hijackthis Log.

Logfile of HijackThis v1.99.1
Scan saved at 11:29:47 AM, on 12/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
G:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\nvraidservice.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
G:\Program Files\HP\HP Software Update\HPWuSchd2.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Skype\Phone\Skype.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
G:\WINDOWS\system32\wbem\unsecapp.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
G:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Documents and Settings\Brian Kummer\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - G:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - G:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - G:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - G:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NVRaidService] G:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [ATIPTA] G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "G:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "G:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "G:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] G:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = G:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = G:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163021246562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - G:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - G:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - G:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - G:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Thanks Again,
Brian Kummer
 
tetonbob

· TSF Security Manager, Emeritus
Joined
·
51,795 Posts
#2 ·
If you ran smitfraudfix, the active files should be gone, but it appears as though there are a couple of new entries not yet covered by the tool.

If you did not run smitfraudfix, we'll need to....

For now, please do this:

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - G:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - G:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)

Close HijackThis now.

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop, if you don't have it.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!
 
B

· Registered
Joined
·
10 Posts
Discussion Starter · #3 ·
I did run the smitfraudfix as directed in your previous post to someone else. In fact I would like to say thanks to you. After I was infected the other night I searched google to find out how to remove antivermins and found your post on this forum. I followed the instructions exactly, but will run it again. No need for further instructions, as I printed off the instructions from your previous post.

Thanks Again,
Brian Kummer
 
tetonbob

· TSF Security Manager, Emeritus
Joined
·
51,795 Posts
#4 ·
Hi Brian -

Ok, great. Glad to see you are a self-starter. Know, however, that not every infection is always the same.

Do fix the entries I indicated in my last post.

Do run an online scan at Panda as I have other users do. It looks for remnants of this and other infections.

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJack This log.

Do post a new HJT log after running the last fix, so I can confirm it's clean, and give you final housekeeping and protection instructions.

Cheers!
 
B

· Registered
Joined
·
10 Posts
Discussion Starter · #5 ·
Teton, I thought everything was going good. I went out of town for a couple of days so I wastn at home finish up the pandascan. Unfortunately, my computer has been running extremely slow, so I fear that I have something else now. I ran flight simulator 04 and could only manage 2 frames per second. Hopefully this slowdown is some other problem. I ran Norton Antivirus and the scan was clean. Panda turned up some things. I have ran a new smitfraud, avg, hjt, and panda scan. I have attached the logs for all, except avg as it was clean.

HJT

Logfile of HijackThis v1.99.1
Scan saved at 12:04:42 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
G:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\nvraidservice.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\HP\HP Software Update\HPWuSchd2.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
G:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
G:\Program Files\SpywareGuard\sgmain.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\system32\wbem\unsecapp.exe
G:\Program Files\SpywareGuard\sgbhp.exe
G:\Documents and Settings\Brian Kummer\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - G:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - G:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - G:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "G:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NVRaidService] G:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "G:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "G:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] G:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = G:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = G:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = G:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163021246562
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - G:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - G:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - G:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - G:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe



Smitfraudfix

SmitFraudFix v2.131

Scan done at 13:37:57.32, Mon 01/01/2007
Run from G:\Documents and Settings\Brian Kummer\Desktop\Anti-Spyware\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» G:\


»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» G:\Documents and Settings\Brian Kummer


»»»»»»»»»»»»»»»»»»»»»»»» G:\Documents and Settings\Brian Kummer\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» G:\DOCUME~1\BRIANK~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» G:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Pandascan
ncident Status Location

Spyware:Cookie/2o7 Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][2].txt
Spyware:Cookie/Serving-sys Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][2].txt
Spyware:Cookie/BurstNet Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][2].txt
Spyware:Cookie/Bridgetrack Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][2].txt
Spyware:Cookie/QuestionMarket Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][1].txt
Spyware:Cookie/WUpd Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][2].txt
Spyware:Cookie/Searchportal Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][1].txt
Spyware:Cookie/Serving-sys Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][1].txt
Spyware:Cookie/onestat.com Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][2].txt
Spyware:Cookie/Tribalfusion Not disinfected G:\Documents and Settings\Brian Kummer\Cookies\[email protected][2].txt
Potentially unwanted tool:Application/Processor Not disinfected G:\Documents and Settings\Brian Kummer\Desktop\Anti-Spyware\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected G:\WINDOWS\system32\Process.exe
Thanks Again,
Brian Kummer
 
tetonbob

· TSF Security Manager, Emeritus
Joined
·
51,795 Posts
#6 ·
I now see Spybot Search and Destroy installed, with it's TeaTimer registry protection in place. That prevents HJT from doing it's job. In this case, it's not too terrible, as it's only an orphaned BHO left behind, but we'll need to disable both TeaTimer and Windows Defender to fix this entry.

This HJT log appears to be from before SmitfraudFix was run. This means it won't show what SmitfraudFix should have done.

Logfile of HijackThis v1.99.1
Scan saved at 12:04:42 PM, on 1/1/2007
Click to expand...
SmitFraudFix v2.131

Scan done at 13:37:57.32, Mon 01/01/2007
Click to expand...
Panda found only cookies, and parts of smitfraudfix. Those are legit files, which at times can be used maliciously. In this case, they are not. Cookies are easily removed.

I need you to do this:

Clear your Internet Explorer7 cookies.

  • Click on the Start button, then >Control Panel>Internet Options>General tab
  • Under Browsing History, click on Delete.
  • In the Delete Browsing History box that opens, click on Delete cookies



Windows Defender

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.
  • Open Windows Defender.
  • Click on Tools>Options.
  • Scroll down and uncheck "Use real-time protection (recommended)".
  • After you uncheck this, click on the Save button and close Windows Defender.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
  • See this link for a tutorial

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if it exists (it may not) and click Fix Checked

O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)

Close HijackThis now.

---------------------------------------------------------------------------------------------

Restart your system. Allow the changes to that BHO if TeaTimer or Windows Defender ask.

Post a new HJT log.

Also, do this:

Double-click smitfraudfix.exe to start the tool.
Select option #4 - Check for Updates by typing 4 and press "Enter"

Follow the prompts and make sure your firewall allows access to the internet.

Then,
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

I can't see how any of this has to do with your game's slowdown, as your logs appear clean.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
About this Discussion
5 Replies
2 Participants
Last post:
tetonbob
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top