hijackthis log
- Thread starter maitagrg
- Start date
- Status
momok
Posts: 2,127 +6
Hi
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Run AVG antispyware scan and quarantine the items. See HERE for instructions.
Go to start > run and type services.msc. Press the enter key.
Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
UAService.exe
ALCMTR.EXE
PokeType.exe
Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:
UAService.exe
ALCMTR.EXE
PokeType.exe
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":
O2 - BHO: (no name) - {A447D40F-6168-015D-2952-412FD0655378} - (no file)
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [platform dash intra anti] C:\Documents and Settings\All Users\Application Data\16 settings platform dash\PokeType.exe
O4 - HKLM\..\Run: [DriveCleaner] "C:\Program Files\DriveCleaner\DC.exe" /min
O4 - HKCU\..\Run: [First acid] C:\DOCUME~1\HP_Owner\APPLIC~1\CHINFI~1\anteidoltrust.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
Also, please fix the O15 entry if you did not add the site into your trusted zone. Fix the O17 entry if it is not your ISP.
O15 - Trusted Zone: http://www.pocado.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE84CB9E-EA81-4E11-B74E-681B28DA86B6}: NameServer = 212.139.132.7 212.139.132.6
Close HJT.
Navigate in Windows Explorer and delete the following bold files.
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\UAService.exe
C:\Documents and Settings\All Users\Application Data\16 settings platform dash\PokeType.exe
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Run AVG antispyware scan and quarantine the items. See HERE for instructions.
Go to start > run and type services.msc. Press the enter key.
Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
UAService.exe
ALCMTR.EXE
PokeType.exe
Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:
UAService.exe
ALCMTR.EXE
PokeType.exe
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":
O2 - BHO: (no name) - {A447D40F-6168-015D-2952-412FD0655378} - (no file)
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [platform dash intra anti] C:\Documents and Settings\All Users\Application Data\16 settings platform dash\PokeType.exe
O4 - HKLM\..\Run: [DriveCleaner] "C:\Program Files\DriveCleaner\DC.exe" /min
O4 - HKCU\..\Run: [First acid] C:\DOCUME~1\HP_Owner\APPLIC~1\CHINFI~1\anteidoltrust.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
Also, please fix the O15 entry if you did not add the site into your trusted zone. Fix the O17 entry if it is not your ISP.
O15 - Trusted Zone: http://www.pocado.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE84CB9E-EA81-4E11-B74E-681B28DA86B6}: NameServer = 212.139.132.7 212.139.132.6
Close HJT.
Navigate in Windows Explorer and delete the following bold files.
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\UAService.exe
C:\Documents and Settings\All Users\Application Data\16 settings platform dash\PokeType.exe
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.
momok
Posts: 2,127 +6
Hi,
Regarding this HijackThis entry, does the domain belong to your ISP?
If not, please fix it.
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE84CB9E-EA81-4E11-B74E-681B28DA86B6}: NameServer = 212.139.132.21 212.139.132.20
Also, fix this entry:
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe (file missing)
Apart from that, your log looks clean now.
Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.
After that turn system restore back on.
This would have created a new safe and clean restore point for your system.
Should you have any further problems, please post in this thread.
Regards,
Your friendly Momok =)
Regarding this HijackThis entry, does the domain belong to your ISP?
If not, please fix it.
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE84CB9E-EA81-4E11-B74E-681B28DA86B6}: NameServer = 212.139.132.21 212.139.132.20
Also, fix this entry:
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe (file missing)
Apart from that, your log looks clean now.
Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.
After that turn system restore back on.
This would have created a new safe and clean restore point for your system.
Should you have any further problems, please post in this thread.
Regards,
Your friendly Momok =)
howard_hopkinso
Posts: 21,238 +17
momok:
To fix that 023 entry, these are the instructions you should have given as 023 entries are services and need to be disabled first. This also applies for any 04 run services entries which are nasty.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
SecuROM User Access Service (UserAccess)<disable the service name and/or the name in brackets.
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
UAService.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe (file missing)
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\system32\UAService.exe
Reboot into normal mode and rehide your protected OS files.
Regards Howard
To fix that 023 entry, these are the instructions you should have given as 023 entries are services and need to be disabled first. This also applies for any 04 run services entries which are nasty.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
SecuROM User Access Service (UserAccess)<disable the service name and/or the name in brackets.
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
UAService.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe (file missing)
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\system32\UAService.exe
Reboot into normal mode and rehide your protected OS files.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
Sorry mate, I didn`t see that. However, if the entry still shows up in HJT, then the service must still be running, so another way has tio be found to get rid of the C:\WINDOWS\system32\UAService.exe file. Perhaps the Avenger would delete it.
Regards Howard
Regards Howard
momok
Posts: 2,127 +6
That sounds bad.
maitagrg: In that case, please follow the instructions here.
1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt (from my attachment) and save it to your desktop
Note: the above code was created specifically for maitagrg. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.
Regards,
Your friendly Momok =)
maitagrg: In that case, please follow the instructions here.
1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt (from my attachment) and save it to your desktop
Note: the above code was created specifically for maitagrg. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.
Regards,
Your friendly Momok =)
howard_hopkinso
Posts: 21,238 +17
Your HJT log is clean.
However, since you use online banking etc, we cannot guarantee the safety of your system. It`s quite possible your details may have already been stolen.
If it were my system I would reformat it and contact my bank etc and tell them my computer has been compromised.
This thread HERE might help you to decide your best course of action.
Regards Howard
This thread is for the use of maitagrg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
However, since you use online banking etc, we cannot guarantee the safety of your system. It`s quite possible your details may have already been stolen.
If it were my system I would reformat it and contact my bank etc and tell them my computer has been compromised.
This thread HERE might help you to decide your best course of action.
Regards Howard
This thread is for the use of maitagrg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
Latest posts
-
Fallout 4 mod downloads skyrocket following launch of TV series- Farkinell replied
-
Apple secures supplier to replace physical buttons on iPhone- Atmajaya2020 replied
