1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Hijack This help........virus

Discussion in 'Virus & Other Malware Removal' started by kpmurphy, Feb 10, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. kpmurphy

    kpmurphy Thread Starter

    Joined:
    Mar 9, 2005
    Messages:
    252
    I am getting a trojan pop with some ads that have taken over my Internet Explorer homepage. Here is my log if someone can help me out. Thanks!



    Logfile of HijackThis v1.99.1
    Scan saved at 12:31:34 PM, on 2/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Video ActiveX Object\isamntr.exe
    C:\Program Files\Video ActiveX Object\pmsnrr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\Video ActiveX Object\pmmnt.exe
    C:\Program Files\Video ActiveX Object\isamini.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Hijack This\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isadd.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139765381905
    O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Here is what to do:

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.
    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  3. kpmurphy

    kpmurphy Thread Starter

    Joined:
    Mar 9, 2005
    Messages:
    252
    Thanks!

    SmitFraudFix v2.141

    Scan done at 13:02:54.73, Sat 02/10/2007
    Run from C:\Documents and Settings\Shaina LaFlamme\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\vblhanf.dll FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Shaina LaFlamme


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Shaina LaFlamme\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SHAINA~1\FAVORI~1

    C:\DOCUME~1\SHAINA~1\FAVORI~1\Online Security Test.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
    C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    C:\Program Files\Video ActiveX Object\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{e6adaaf0-79b2-4cf1-a660-50a0b33991a1}"="didymiums"



    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Here is the second part of the fix:

    Copy these steps to a Notepad text file and save it as steps.txt to your desktop, or print them, as you will not be able to get online while working in Safe Mode (and, please do
    not use Safe Mode with Networking for this fix!)

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
    _ _ _ _ _


    Post that log, and a new Hijackthis log please.
     
  5. kpmurphy

    kpmurphy Thread Starter

    Joined:
    Mar 9, 2005
    Messages:
    252
    Things are running much better now. Thanks again....here is the report:


    SmitFraudFix v2.141

    Scan done at 13:59:46.61, Sat 02/10/2007
    Run from C:\Documents and Settings\Shaina LaFlamme\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{e6adaaf0-79b2-4cf1-a660-50a0b33991a1}"="didymiums"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\vblhanf.dll Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
    C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
    C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
    C:\DOCUME~1\SHAINA~1\FAVORI~1\Online Security Test.url Deleted
    C:\Program Files\Video ActiveX Object\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Next I would like to see a report from this online scanner:

    It will take some time, so plan accordingly, on average from 20 minutes to over an hour...it depends on several things, at your end, and at the other server's.

    HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

    Post a new Hijackthis log when you have done Panda.
     
  7. kpmurphy

    kpmurphy Thread Starter

    Joined:
    Mar 9, 2005
    Messages:
    252
    Thanks again. Here are the 2 logs:


    Incident Status Location

    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.zedo.com/]
    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.as-us.falkag.net/]
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.burstnet.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.go.com/]
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.statcounter.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[ad.yieldmanager.com/]
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.com.com/]
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.belnk.com/]
    Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.metriweb.be/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.casalemedia.com/]
    Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[server.iad.liveperson.net/hc/31048447]
    Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[server.iad.liveperson.net/]
    Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[server.iad.liveperson.net/hc/31048447]
    Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[www.burstbeacon.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.serving-sys.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.bs.serving-sys.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.serving-sys.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.apmebf.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.realmedia.com/]
    Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.target.com/]
    Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Shaina LaFlamme\Application Data\Mozilla\Firefox\Profiles\ojqev5uy.default\cookies.txt[.maxserving.com/]
    Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Shaina LaFlamme\Cookies\shaina [email protected][1].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Shaina LaFlamme\Cookies\shaina [email protected][2].txt
    Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Shaina LaFlamme\Cookies\shaina [email protected][2].txt
    Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Shaina LaFlamme\Cookies\shaina [email protected][2].txt
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Shaina LaFlamme\Desktop\SmitfraudFix\Process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Shaina LaFlamme\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
    Adware:Adware/VideoActiveXObject Not disinfected C:\Hijack This\backups\backup-20070210-123101-299.dll
    Adware:Adware/VideoActiveXObject Not disinfected C:\Hijack This\backups\backup-20070210-123119-848.dll
    Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe



    Logfile of HijackThis v1.99.1
    Scan saved at 11:22:57 PM, on 2/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijack This\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139765381905
    O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, You are OK- the items Panda found are mostly cookies, those are a part of using the Net and normal but can be easily dealt with by using a temp file cleaner, more on that later.

    The other items are the files from SmitFraudFix which it sees as suspicious, they aren't, just ignore those.

    The ones in the Hijackthis backups folder can be deleted by simply uninstalling Hijackthis, or, go into the backups area and manually delete them, they will not be needed.

    Here is a good temp file cleaner- it also removes Cookies, which help your computer be "recognized" at sites like ours, which use login names and passwords...automatic logins. When you clean cookies it takes these along with the rest, unless you select the ones you need to keep, and exclude them from deletion. ATFCleaner will allow you to select those cookies you want to keep and put them in an exclude list. This can take time if you have a lot of logins to save...but, it's worth doing, unless you really know exactly all your passwords or have a list of login names and passwords saved.

    Download ATFCleaner by Atribune & save it to your desktop. DO NOT use it yet. We will use it in Safe Mode, later

    ((You don't have to do it right now!))

    As you probably know, deleting Cookies can result in you having to type in your username and passwords at ALL sites that use logins, like this site does, so if you willy nilly delete cookies, which is safe enough to do, you will have to re-establish these cookies and login the first time you visit any site like that.
    ATF Cleaner has a way to save those cookies you would like to keep but it will require some time. If you DO KNOW or have saved all your Passwords and login usernames you can delete all cookies.

    * Restart your computer into safe mode now.To get into the Windows 2000 / XP Safe mode, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu"
    Use your arrow keys to move to "Safe Mode" and press your Enter key.

    Next, start up ATFCleaner:

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    Restart the computer.

    OK, I don't think we need to see any more logs, the next few days will tell you if anything comes back.

    You are using Ewido 4.0- if it is the paid for version, you can upgrade for free to AVG Antispyware 7.5, made by Grisoft who has taken over Ewido....

    If Ewido was the free version, just uninstall it after downloading the package for AVG Antispyware, it's the same program.

    I can post the directions for getting and installing AVG A/S. The program is not an antivirus program so you can use it along with most any antivirus program. Let me know. Will take a sec to post the steps.
     
  9. kpmurphy

    kpmurphy Thread Starter

    Joined:
    Mar 9, 2005
    Messages:
    252
    Thanks for the help!
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, OK, I will let this thread sit for awhile, if you need any help or have questions about anything feel free to post here.
    If you feel the issue is completed, just mark this "Solved" by using the Thread Tools button found at the top of the page.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/542885

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice