How Do I Clear This Up?
#1
Posted 23 July 2004 - 04:14 AM
Register to Remove
#2
Posted 23 July 2004 - 07:48 PM
"Attached" files can transmit infections.
I have downloaded your log file and posted it's contents:
(And suggestions for helping you - see below the log file)
Now, download and run Spybot-Search&Destroy and Ad-Aware; they are the standard programs for finding and cleaning malware off your system. Here are links to both programs, and instructions for their use.Logfile of HijackThis v1.97.7
Scan saved at 11:10:29, on 23/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\automove.exe
C:\WINDOWS\goidr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\mpcorew.exe
C:\WINDOWS\System32\iaservcw.exe
C:\WINDOWS\System32\svcirtm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\CS4P028.EXE
C:\PROGRA~1\COFFEE~1\FreeZip\cczip.exe
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\AR7VKZHW\hijackthis[1]\HijackThis.exe
C:\PROGRA~1\COMMON~1\tsa\tsm.exe
C:\PROGRA~1\COMMON~1\tsa\ts.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep...rt.cgi?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep...rt.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {30A56549-9D5B-4D34-AFA7-440A7F0538A9} - C:\Program Files\Open Site\opnste.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF72ae.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [fxgfsm] C:\WINDOWS\System32\ltdybb.exe
O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF72ae.dll
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [mpcorew] C:\WINDOWS\System32\mpcorew.exe
O4 - HKLM\..\Run: [svcirtm] C:\WINDOWS\System32\svcirtm.exe
O4 - HKLM\..\Run: [iaservcw] C:\WINDOWS\System32\iaservcw.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingsto...00XP/bridge.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
Get Spybot - Search & Destroy from http://security.kolla.de (This is the NEW Version 1.3)
Get AdAware 6 from http://www.lavasoft....upport/download
Download and install these programs in their own PERMANENT folders if you don't already have them. If you do have them, make sure they are UPDATED AND CONFIGURED AS DESCRIBED.
To run Spybot S&D:
After installing first press "Online", click on "Search for Updates", then select all updates. Beside the download button is a little down-pointed arrow, which gives you a choice of several download sites; select one of the servers listed (the Australian server usually works well). Now, press "Download Updates." If that site doesn't work or you get an error message, try a different server.
When the updates are finished, close your browser and ALL WINDOWS EXCEPT THE ONE SPYBOT IS RUNNING IN, then press 'Check for Problems'; THE SCAN WILL TAKE SEVERAL MINUTES. Have SpyBot remove all it finds THAT ARE MARKED IN RED. When it's finished, REBOOT your system.
Get AdAware 6 from http://www.lavasoft....upport/download
Then, Run ADAWARE:
Before you scan with AdAware, check for updates of the reference file by using the "webupdate" button at the lower right of the panel. The current ref file should read at least 01R312 30.05.2004 or a higher number/later date. Updates for this program come out frequently to keep up with new malware. THIS IS CRITICAL; updating is as important as installing these programs.
Then ........
Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"
then......
click "Use custom scanning options>Customize" and have these options ON: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"
then.........
go to settings(the gear icon on top of AdAware)>Tweak>Scanning engine and click "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"
then...... click "proceed" to save your settings.
To scan, click NEXT. This scan will also take several minutes.
When the scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press "next" and then say YES to the prompt, "do you want to remove all these entries?" Reboot again.
Then try these free online virus scans of your system:
Trend-Micro:
http://housecall.tre.../start_corp.asp
Panda:
http://www.pandasoft...com/activescan/
Etrust:
http://www3.ca.com/s...sinfo/scan.aspx
Let them delete any infections found. Reboot inbetween scans.
Then please download the NEWEST version (v 1.98.0) of Hiajck This!
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Download HijackThis into this folder.
If required a tutorial is here = Hijackthis Folder Tutorial
After running all three, please post a new log file in this thread.
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users