Hi, If you would like us to take a look at your computer, we will need you to follow the directions below. Once your log is posted, please be patient. We are all volunteers with families and real jobs, and the logs being posted are many. We do work the logs in the order they come in. One of the experts here will assist you with your log as soon as possible. Thanks...pskelley
We need you to download and install an analysis and repair tool called Hijackthis.
Please unzip Hijackthis.zip into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don't place it on the Wallpaper, in a temp folder, or in the root level of the C: drive or the My Documents folder. It will create many backup files and they need to be stored in a unique Hijackthis folder. If it is properly placed it will look like this: C:\HJT\HijackThis.exe.
After downloading, and unzipping the hijackthis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run Hijackthis, click on the 'scan' button and then 'save log' button.
Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt
Special Notice! Hijackthis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the Hijackthis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. Hijackthis should identify the vast majority of your problems and enable us to help you clean them off your system.
Stay in this thread for continuity. Reply to this message.
Thanks,
pskelley In Training at TomCoyote.com and Spywareinfo.com
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-)
Here is the Highjackthis scan I did last night. I "fixed" several of the suspicious entries, but I still can't get rid of this CWS problem.
Logfile of HijackThis v1.97.7 Scan saved at 11:41:22 PM, on 7/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Special Notice! Hijackthis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the Hijackthis log screen without assistance from the experts!
If you "fixed" something, then scanned before before rebooting, your log might not be a clear picture of the infection you had. Please follow these directions. Open HijackThis, then click on Config. Then at the top choose Misc Tools. Near the bottom on the left side, choose "Check for update online", follow the directions to update your HijackThis to the newest version 1.98. Then post a fresh log in this same thread, which will be in HijackThis 1.98. Please be patient until an expert can assist with your log. Keep in mind we are overworked and underpaid. (volunteers) Thanks...pskelley
It's a tossup on a restore since you just got the computer...not a whole lot extra loaded probably. The two new variants of CWS that are hard to fix can be a pain. I can't tell which you have since you fixed some lines...look on my Malware page and see if you can identify your R1 and R2 lines:
If you see yours there (temp folder...or the random number entry version) then you can decide if you want to try the fixes. Some victims have had success...some haven't.
Texruss www.russelltexas.com Spyware Fighter Wilders Forum Slyware Warrior Tom Coyote Forum Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.
Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs: jimw, ddeerrff, and msgale. Please follow their advice when they respond to your problems. They have a proven track record here.
BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.
Since the machine is so new and I could easily backup all my files and do the system restore, would this effectively remove the CWS problem? I mean, the PC would be completely wiped clean and reload the factory settings right? Also, is the system restore a long process?
Secondly, would loading Zone Alarm firewall program be good protection against future attacks?
pskelley
933 Posts
0
July 1st, 2004 14:00
Hi, If you would like us to take a look at your computer, we will need you to follow the directions below. Once your log is posted, please be patient. We are all volunteers with families and real jobs, and the logs being posted are many. We do work the logs in the order they come in. One of the experts here will assist you with your log as soon as possible. Thanks...pskelley
We need you to download and install an analysis and repair tool called Hijackthis.
Download the zipped file from here: http://www.majorgeeks.com/download3155.html
Please unzip Hijackthis.zip into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don't place it on the Wallpaper, in a temp folder, or in the root level of the C: drive or the My Documents folder. It will create many backup files and they need to be stored in a unique Hijackthis folder. If it is properly placed it will look like this: C:\HJT\HijackThis.exe.
Hijackthis FAQ (Frequently Asked Questions) at: http://russelltexas.com/malware/faqhijackthis.htm
After downloading, and unzipping the hijackthis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run Hijackthis, click on the 'scan' button and then 'save log' button.
Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt
Special Notice! Hijackthis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the Hijackthis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. Hijackthis should identify the vast majority of your problems and enable us to help you clean them off your system.
Stay in this thread for continuity. Reply to this message.
Thanks,
pskelley
In Training at TomCoyote.com and Spywareinfo.com
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-)
mhn2
4 Posts
0
July 13th, 2004 17:00
Thanks,
Here is the Highjackthis scan I did last night. I "fixed" several of the suspicious entries, but I still can't get rid of this CWS problem.
Logfile of HijackThis v1.97.7
Scan saved at 11:41:22 PM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\HistoryKill\histkill.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\atlwy32.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Net Nanny\nnsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\appzj32.exe
C:\Program Files\Net Nanny\nntray.exe
C:\Downloads\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NNTray] C:\Program Files\Net Nanny\nnstart.exe
O4 - HKLM\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38040.8831018519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Thanks for any assistance.
pskelley
933 Posts
0
July 13th, 2004 18:00
Special Notice! Hijackthis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the Hijackthis log screen without assistance from the experts!
If you "fixed" something, then scanned before before rebooting, your log might not be a clear picture of the infection you had. Please follow these directions. Open HijackThis, then click on Config. Then at the top choose Misc Tools. Near the bottom on the left side, choose "Check for update online", follow the directions to update your HijackThis to the newest version 1.98. Then post a fresh log in this same thread, which will be in HijackThis 1.98. Please be patient until an expert can assist with your log. Keep in mind we are overworked and underpaid. (volunteers) Thanks...pskelley
Message Edited by pskelley on 07-13-2004 04:12 PM
Texruss
3.4K Posts
0
July 13th, 2004 19:00
It's a tossup on a restore since you just got the computer...not a whole lot extra loaded probably. The two new variants of CWS that are hard to fix can be a pain. I can't tell which you have since you fixed some lines...look on my Malware page and see if you can identify your R1 and R2 lines:
http://russelltexas.com/malware/malware.htm
If you see yours there (temp folder...or the random number entry version) then you can decide if you want to try the fixes. Some victims have had success...some haven't.
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.
Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs: jimw, ddeerrff, and msgale. Please follow their advice when they respond to your problems. They have a proven track record here.
BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.
mhn2
4 Posts
0
July 15th, 2004 15:00
Texruss,
Since the machine is so new and I could easily backup all my files and do the system restore, would this effectively remove the CWS problem? I mean, the PC would be completely wiped clean and reload the factory settings right? Also, is the system restore a long process?
Secondly, would loading Zone Alarm firewall program be good protection against future attacks?
Thanks,
Mike