Software > Computer viruses and spyware

Hijackthis log could someone take a look please

<< < (2/3) > >>

unlovedwarrior:
don't do the hijackthis in safe mode do it in normal mode

CBMatt:
unlovedwarrior is right; you need to do the HJT scan in Normal Mode.  However, your log looks like it's from Normal Mode (despite what you said in your post), so I'll just give my advice...

What anti-virus is on this computer?  Whatever's on there, it isn't active.  It's important to have an active anti-virus scanner.  Otherwise, this is pointless because that computer will just get infected again.



Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file.  Open HijackThis and scan again.  Check the following entries, but don't do anything to them yet...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O17 - HKLM\System\CCS\Services\Tcpip\..\{19E669B3-7C3D-4CFF-A4B8-04348E3B9F76}: NameServer = 85.255.115.46 85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1FF8C4E-E1B9-40C7-BEB4-7398C4863721}: NameServer = 85.255.115.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA384C8F-8E59-46F5-9BFD-B6086054A9FC}: NameServer = 85.255.115.46
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{19E669B3-7C3D-4CFF-A4B8-04348E3B9F76}: NameServer = 85.255.115.46 85.255.112.154

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
(SweetIM isn't exactly malicious, but it's considered a form of adware/spyware.  Take a look at some of this quote from its EULA...)


--- Quote ---When you conduct a search through our toolbar, we send our advertising partner your IP so that they might be able to serve ads targeted to your location geographically.
--- End quote ---

O4 - HKCU\..\Run: [msnmsgr] ~"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
(This is something I don't believe I've seen before.  MSN Messenger is legit, but the filepath isn't normally preceded by a tilde mark (~).  You should head over to VirusTotal and scan the file.  Post the results here.)

Now, close all windows (including this one) besides HijackThis, then click Fix Checked.  Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)...

SweetIM

Please note any other programs that you dont recognize in that list in your next response.

Navigate to and delete the following folder(s) if present...

C:\Program Files\Macrogaming

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log so we can see if there's any other junk we need to clean up.  Let me know how everything's running now and if you had any problems following my steps.

Spero-T:
Thanks have not been back round to make the changes but will let you know

oddjob:
You also have a Wareout infection indicated by those 017 entries.

Do as CBMatt advises then do this .....


Download FixWareout from one of these links ....

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.

Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin. Follow the prompts.

If your firewall gives an alert (because this tool will download an additional file from the internet) don't let your firewall block it but allow it instead.

You will be asked to reboot your computer. Please do so.

Your system may take longer than usual to load. This is normal.

After reboot a log will open (report.txt). It will be present in the C:\Fixwareout folder.

SAVE that report and post it to this thread so CBMatt can review it.



OJ




patio:
Welcome Back, oddjob ! !

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version