|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
09-25-2004, 12:21 PM
|
#1 (permalink) |
|
Registered User
Join Date: Sep 2004
Location: Southeast
Posts: 7
OS: WinXP
|
Cleaning up Registry and Startup
Hello,
I have gathered so much useful information from this site. I am very appreciative this site exists.  I am not a computer whiz, but I have a question. I did not have any anti-virus software on my computer until a few days ago. Now, I think I need to clean up what is called the registry and the startup folder so that spyware programs don't keep loading. My computer is low on resources, and I think this is why. I have heard of the msconfig utility, but I don't think I did something right. The programs came back when I rebooted. Could anyone give me a summary of the steps I should do? Thanks so much! |
|
     
|
|
09-25-2004, 04:41 PM
|
#2 (permalink) |
|
Registered User
Join Date: Nov 2003
Location: Swink Colorado
Posts: 172
OS: WXP Pro
|
Go download SpyBot and HiJackThis, both are great programs!
http://www.spychecker.com/program/hijackthis.html http://www.download.com/Spybot-Searc...ubj=dl&tag=but Sounds like you need to empty you IE5 cach files and get rid of some spyware!
__________________
Duck |
|
|
|
|
09-26-2004, 05:11 AM
|
#3 (permalink) |
|
Registered User
Join Date: Sep 2004
Location: Southeast
Posts: 7
OS: WinXP
|
Hi Duck,
Thank you for the 2 websites. I will do this today. One question about the cache of the IE files. Are these the 'files' 'Temporary Internet Files' under the General tab of Internet options? Again, I appreciate the time and help. |
|
|
|
|
09-29-2004, 05:43 PM
|
#5 (permalink) |
|
Registered User
Join Date: Sep 2004
Location: Southeast
Posts: 7
OS: WinXP
|
Hello,
I have downloaded the 'Hijack' program, and I have listed the log. I am still confused. Does any of this make sense? Logfile of HijackThis v1.97.7 Scan saved at 8:42:00 PM, on 9/29/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\HEWLET~1\HPOFFI~1\BIN\HPOEVM07.EXE C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\FRU\Remind32.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Denise\Local Settings\Temporary Internet Files\Content.IE5\9S213NGM\HijackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.topfivesearch.com/search.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topfivesearch.com/search.asp R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime O4 - HKLM\..\Run: [gcasServ] C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe O4 - Global Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\FRU\Remind32.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185 O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: Win32 Classes - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/03109832...p/RdxIE601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095114476977 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...033.4324768518 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab |
|
|
|
|
09-29-2004, 08:23 PM
|
#6 (permalink) |
|
Admin/Head GreaseMonkey/Igor's alter ego/Grand Exalted PoohBah
Join Date: Dec 2001
Location: SC
Posts: 2,599
OS: Windows XP SP2/Windows 98SE/Fedora Core 6/RH 7.2 with Autopoint
|
Moving to AV/Spyware/HJT section....
__________________
 If you know anyone who graduated from North Myrtle Beach (SC) High in 1988, please contact MT for reunion information. Sharing my life...with my Imzadi! Interested in Trek gaming? Check out the Dynaverse! Proud supporter of the Carolinas Aviation Museum. If we have helped you in any way, please donate to keep TSF up and running! |
|
|
|
|
10-01-2004, 08:46 AM
|
#7 (permalink) |
|
Analyst, Security Team
|
Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.
Go to the bottom of this message to get the latest version of HijackThis. If the site is down, you can also get it here. Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.topfivesearch.com/search.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topfivesearch.com/search.asp R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185 O16 - DPF: Win32 Classes - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0310983...ip/RdxIE601.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\ gcasDtServ.exe Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
| Thread Tools | |
|
|
