Ok. Lets get you fixed up. This doesnt look too serious.
* When running HiJackThis scans or fixes, it is
imperative that you close
all programs especially internet browsers. HiJackThis, Spybot, AdAware and CWShredder cannot repair the badguys when these programs are open. So close them all now. Leave your virusscanner and firewall on.
----------------------------------------------------------------
To show hidden files instructions
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extentions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
----------------------------------------------------------------
Turn off System Restore instructions
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot.
After we are finished with your log file and verified that it’s clean, you may turn it back on and create a new restore point.
----------------------------------------------------------------
Reboot in Safe Mode instructions. During reboot, tap the F8 key. Select Safe Mode.
----------------------------------------------------------------
Open HiJackThis | Scan,
Put a check next to the following items.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
Confirm that you have
only the ones above then press <Fix checked>
Close HJT
----------------------------------------------------------------
* Empty your c:/windows/temp or c:/winnt/temp folder. Note: only empty the contents of the folder, leave the folder there.
* Now empty your Recycle Bin.
* Reboot in Normal Mode.
----------------------------------------------------------------
You should run an
online virus scan. Select one or more of the following. Select Autoclean if you use TrendMicro. Online virus scans can be superior to PC scans because some malware can infect your PC virus scanner.
Panda aka
http://www.pandasoftware.com/actives..._principal.htm
TrendMicro aka
http://housecall.trendmicro.com/]
RAV Antivirus aka
http://www.ravantivirus.com/scan
Reboot.
----------------------------------------------------------------
You said you have AdAware. Make sure you have the most recent version, AdAware SE build 1.05 with the correct settings. Run it now please. Also install and run Spybot.
As far as I can tell you do not have a Firewall on your machine. A firewall is perhaps your greatest defense against these badguys. I strongly recommend that you get one. No one tool can do everything....at least not yet. So you need a variety of utilities on your machine to prevent all the malware, adware, spyware and virii out there. The bare essentials are: a good Firewall, a good virusscanner with autoprotect enabled, Spybot (with Immunize enabled), AdAware, SpywareBlaster and SpywareGuard.
Here are two essential anti-spyware programs which you should run regularly. Updates for these programs come out weekly. Run them now.
Spybot Search & Destroy instructions (~3.5MB)
- Download Spybot (written by Patrick Kolla). Click <download> from
http://www.safer-networking.org/
Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop.
I recommend c:/program files/spybot/
- Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory.
- Open Spybot from Start | Programs | Spybot | Spybot S&D
- Select <Search for Updates>. Let it install all updates. This is very important!
- Select <Immunize>
- Select <Check for Problems>
- Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it.
- Select <Fix Selected Problems>
- Close Spybot//
Ad-Aware instructions (2563 kB)
- Download Ad-Aware SE build 1.05 (written by Lavasoft) from
http://www.lavasoft.de/
If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
- Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
- Open AdAware from Start | Programs | Lavasoft | Adaware.
- Select <Check for updates now>, <Proceed>
- Setting adjustments. [[Green = checked]] Click the Gear Icon in the top right corner. New settings:
- By default you begin in the <General> section. The following should be checked:
- Automatically save logfile
- Automatically quarantine objects prior to removal
- Safe Mode (always request confirmation)
- Prompt to update outdated confirmation - change to "7 days"
- Click <Scanning>
- Check Scan within Archives
- Select "Select drives & folders to scan", check all of your harddrives. Usually its just c:/, <Proceed>
- Under Memory & Registry, select all options
- Click <Advanced>
- Under Shell Integration, select "Move deleted files to Recycle Bin"
- Under Logfile detail, select all options
- Click <Defaults>
- Click <Tweak>
- Expand Scanning Engine and make sure the following are selected:
- Unload recognized processes during scanning
- Obtain command line of scanned processes
- Scan registry for all users instead of current user only
- Expand Cleaning Engine and make sure the following are selected:
- Always try to unload modules before deletion
- During removal, unload explorer and IE if necessary
- Let Windows remove files in use at next reboot
- Delete quarantined objects after restoring
- Expand Safety Settings and make sure the following are selected:
- Write-protect system files after repair (Hosts file, etc)
- Click <Proceed> | <Start> | select Use custom scanning options | <Next>
- When the scan is finished, rightclick on any entry and choose <Select All Objects>.
- Select <Clean>
- Close Adaware//
----------------------------------------------------------------
Preventing future infections:
As a first line of defense I strongly recommend a good firewall, like
Norton Firewall 2004,
ZoneAlarm Pro or
Kerio; all three are very highly rated. If you are short on $ there are several free options available to you. Consider
ZoneAlarm or
Outpost.
Running Spybot S&D and AdAware regularly are a good second line of defense.
Additional protections
SpywareBlaster and IE-SpyAd are run-once prevention programs which are also free. You only need to update them periodically. SpywareGuard is live protection from spyware.
SpywareBlaster (2.1 MB) is not a system cleaner like Spybot; rather it blocks/prevents bad ActiveX and malevolent cookies from entering your system in the first place.
IE-SpyAd (227 kB) places over 5000 sites into your Restricted Zone so you do not accidentally visit known evil sites.
SpywareGuard (1.96 MB) functions like an antivirus program, scanning files before they are opened and downloaded, but for spyware. It also protects your internet browser from hijacks.
See also
So how did I get infected in the first place? for more information about spyware prevention.
----------------------------------------------------------------
Run AdAware and Spybot, then post a fresh HJT log.