Thread: Just a Hijack Log
View Single Post
Old 05-03-2007, 08:12 AM   #9 (permalink)
Juliet
Analyst, Security Team
 
Juliet's Avatar
 
Join Date: Apr 2007
Location: The lush green hills of Tennessee
Posts: 89
OS: WinXP SP2


Re: Just a Hijack Log
Welcome back

Please disable SpySweeper, as it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.

To disable SpySweeper:

Open it, click > Options over to the left then > click the Program tab > Uncheck "Start Spy Sweeper at Windows startup".
Over to the left click "shields"
Click the "Internet Explorer" tab and and uncheck all there.
Click the "Windows System" tab and uncheck all there.
Click the "Host File" tab and uncheck all there.
Click the "Startup Programs" tab and uncheck "Startup Items Shield".

Remember after your system is clean to re-enable Spy Sweeper.



We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again




Please disable CounterSpy, as it may hinder in fixing of some HijackThis entries. You can re-enable it after you're clean.
To disable CounterSpy:
Right Click on the CounterSpy Icon located in your system tray.
With your mouse, hover over Active Protection Status (This should be enabled)
A menu will slide out, then right click on Disable Active Protection
Once your log is clean please re-enable CounterSpy


I see you have Morpheus installed. I do not recommend Morpheus because it is bundled with spyware. That's why I suggest to uninstall Morpheus
Go to Add/Remove programs in the Control panel and uninstall
Morpheus
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11


Open HJT and click scan only, place a check by these entries

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [96] "C:\WINDOWS\system32\96.exe"

Close all windows and browsers except HJT and click fix checked


Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4)


Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Alcmtr"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"96"=-
Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save as type" - "All Files" Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.


Please download ATF Cleaner by Atribune and save it to your desktop.
http://www.atribune.org/ccount/click.php?id=1



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml



Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



Using windows explorer search for and delete these file/folders in bold
C:\WINDOWS\system32\SBRC.dat
C:\WINDOWS\system32\SBFC.dat
C:\WINDOWS\system32\96.exe

Please go to Start then Search locate and delete
ALCMTR.EXE

If you have trouble finding any of those files, then configure Windows Explorer to show hidden files and folders and go after them again.(Remember to Hide files and folders once done).

To enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked.


  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

After your DrWeb scans completes....

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


In your next reply I need:
DrWeb.csv log
New HJT log
Panda log
Comments on how your computer is running now
__________________
Juliet is offline