log file - please check
#1
Posted 03 March 2006 - 05:57 PM
Register to Remove
#2
Posted 05 March 2006 - 05:49 PM
Important: Do this before any fix.
Please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.
Go to where your HijackThis is and Right Click on HijackThis.exe, select Cut, then open the new folder you just created (HJT) Right Click in the folder and select paste.
The reason we do this is Hijackthis creates backup files just in case you'd need to restore one and we'll be cleaning out the temp files.
After the above:
Click the link and Save. Once saved, double click the file you just download, Install, Update and run a full scan.
http://free.grisoft....ree_375a691.exe
Empty Recycle Bin
Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#3
Posted 05 March 2006 - 07:28 PM
#4
Posted 05 March 2006 - 07:43 PM
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\cdo]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\cdo]
@="cdo: Asychronous KnowledgePluggable Protocol Handler"
"CLSID"="{CD00020A-8B95-11D1-82DB-00C04FB1625D}"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\file]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\file]
@="file:, local: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ftp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ftp]
@="ftp: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http]
@="http: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http\oledb]
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
@="Microsoft OLE DB Provider for Internet Publishing"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\its]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\its]
@="its: Asychronous Pluggable Protocol Handler"
"CLSID"="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"
[
-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\lid]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\lid]
@="MS TV ATVEF compliant lid: Protocol Handler"
"CLSID"="{5C135180-9973-46D9-ABF4-148267CBB8BF}"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mk]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mk]
@="mk: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\res]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\res]
"CLSID"="{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tv]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tv]
@="TV: Pluggable Protocol"
"CLSID"="{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wia]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wia]
@="wia: Asychronous Pluggable Protocol Handler for WIA devices"
"CLSID"="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}"
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.
Please post a new HJT log.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#5
Posted 05 March 2006 - 08:00 PM
#6
Posted 05 March 2006 - 08:02 PM
Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Reboot and "copy/paste" a new HijackThis log file into this thread.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#7
Posted 05 March 2006 - 09:23 PM
Edited by mikexyz, 05 March 2006 - 09:24 PM.
#8
Posted 06 March 2006 - 06:51 AM
You can fix this one with HJT.
O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\ll\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe /startupscan
Then lets make sure nothing is hidding.
Download the trial version of Spy Sweeper from Here
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
You will be prompted to check for updated definitions, please do so.
(This may take several minutes)
Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
When the sweep has finished, click Remove. Click Select All and then Next
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
Exit Spy Sweeper.
Empty Recycle Bin
Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#9
Posted 06 March 2006 - 05:47 PM
#10
Posted 06 March 2006 - 05:54 PM
Protocol {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} L file, ftp, gopher, http, https, local, mk urlmon.dll Items taken from whitelist of HijackThis
http://www.malwarehe...eting-hjt3.html
O18 - Extra protocols and protocol hijackers
This section of HijackThis looks for new or changed protocols used by Windows to 'talk' to programs, servers or itself. A protocol is one IE interprets as the beginning of an address like http://, https://, ftp://, gopher:// etc,. LOP.com uses this method to make IE load content using an "ayb:// whatever address" similarly CommonName uses cn://. Several legitimate programs also do this.
Example of 018 entries from HijackThis logs
O18 - Protocol: ayb - {07C0D34D-11D7-43F7-832B-C6BB41726F5F}
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL
Recommendation: Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those. Other things that show up are either not confirmed safe yet, or are hijacked. If you are in doubt get an expert opinion before fixing it.
The 018 items can be researched at CastleCops - O18 Extra protocols and protocol hijackers list.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
Register to Remove
#11
Posted 06 March 2006 - 06:01 PM
#12
Posted 06 March 2006 - 06:16 PM
Edited by mikexyz, 06 March 2006 - 06:17 PM.
#13
Posted 06 March 2006 - 06:50 PM
#14
Posted 06 March 2006 - 07:14 PM
#15
Posted 06 March 2006 - 07:16 PM
Log looks good How is it running any issues?
Note: This will remove all previous Restore Points
Turn off System Restore:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer, turn it back on.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.
If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.
It is critical to have both a firewall and anti virus to protect your system.
Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.
Safe Surfing.
I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users