TechSpot

hijackthis log

By maitagrg
Apr 13, 2007
  1. Dear sirs,

    Attached is my hijackthis log. Please do help.

    Thank you.

    Maita.
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Run AVG antispyware scan and quarantine the items. See HERE for instructions.

    Go to start > run and type services.msc. Press the enter key.

    Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    UAService.exe
    ALCMTR.EXE
    PokeType.exe


    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    UAService.exe
    ALCMTR.EXE
    PokeType.exe


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":

    O2 - BHO: (no name) - {A447D40F-6168-015D-2952-412FD0655378} - (no file)
    O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - (no file)
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [platform dash intra anti] C:\Documents and Settings\All Users\Application Data\16 settings platform dash\PokeType.exe
    O4 - HKLM\..\Run: [DriveCleaner] "C:\Program Files\DriveCleaner\DC.exe" /min
    O4 - HKCU\..\Run: [First acid] C:\DOCUME~1\HP_Owner\APPLIC~1\CHINFI~1\anteidoltrust.exe
    O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe

    Also, please fix the O15 entry if you did not add the site into your trusted zone. Fix the O17 entry if it is not your ISP.
    O15 - Trusted Zone: http://www.pocado.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EE84CB9E-EA81-4E11-B74E-681B28DA86B6}: NameServer = 212.139.132.7 212.139.132.6

    Close HJT.

    Navigate in Windows Explorer and delete the following bold files.
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\system32\UAService.exe
    C:\Documents and Settings\All Users\Application Data\16 settings platform dash\PokeType.exe


    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.
     
  3. maitagrg

    maitagrg TS Rookie Topic Starter

    Thank you for your support and help.
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Regarding this HijackThis entry, does the domain belong to your ISP?
    If not, please fix it.
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EE84CB9E-EA81-4E11-B74E-681B28DA86B6}: NameServer = 212.139.132.21 212.139.132.20

    Also, fix this entry:
    O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe (file missing)

    Apart from that, your log looks clean now.

    Turn off system restore (XP/ME only). Learn how to do that HERE.

    This will remove all the remaining nasties from your old restore points.
    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly Momok =)
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    momok:

    To fix that 023 entry, these are the instructions you should have given as 023 entries are services and need to be disabled first. This also applies for any 04 run services entries which are nasty.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    SecuROM User Access Service (UserAccess)<disable the service name and/or the name in brackets.

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    UAService.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\UAService.exe

    Reboot into normal mode and rehide your protected OS files.

    Regards Howard :)
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Howard: Actually in my previous post that service was already addressed.
    maitagrg: Just to check, did you follow my post advice accordingly?


    Regards,
    Your friendly Momok =)
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Sorry mate, I didn`t see that. However, if the entry still shows up in HJT, then the service must still be running, so another way has tio be found to get rid of the C:\WINDOWS\system32\UAService.exe file. Perhaps the Avenger would delete it.


    Regards Howard :)
     
  8. momok

    momok TS Rookie Posts: 2,265

    That sounds bad.

    maitagrg: In that case, please follow the instructions here.

    1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt (from my attachment) and save it to your desktop

    Note: the above code was created specifically for maitagrg. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.


    Regards,
    Your friendly Momok =)
     
  9. maitagrg

    maitagrg TS Rookie Topic Starter

    hjt log

    Dear Momok,

    Thank you very much for your help. Looks like I have got rid of the nasties for now. But still unsure if I should reformat the drives as I shop and bank through the system. Any suggestions?

    Attached is the latest HJT log.

    Thank you and regards,

    Maita.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    However, since you use online banking etc, we cannot guarantee the safety of your system. It`s quite possible your details may have already been stolen.

    If it were my system I would reformat it and contact my bank etc and tell them my computer has been compromised.

    This thread HERE might help you to decide your best course of action.

    Regards Howard :)

    This thread is for the use of maitagrg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...