Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack this log: help with pop-ups


  • Please log in to reply
2 replies to this topic

#1 davef

davef

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 08 June 2005 - 10:37 AM

Here is my log. It started with Aurora, I think I got that off, but still getting pop-ups....

Logfile of HijackThis v1.99.1
Scan saved at 8:27:28 AM, on 6/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gxe] C:\WINDOWS\System32\gxe.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A8A38F0-84F4-11D4-A0C5-005004A79108} (RColorScheme Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDASHARE.CAB
O16 - DPF: {256D3EA4-2401-11D3-849C-00A0C9E7EDB9} (RUIMaster Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAUI.CAB
O16 - DPF: {44971EC1-7439-11D3-BDE0-00A0C9F03484} (RChart2 Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDACHART.CAB
O16 - DPF: {468391E0-E986-11D3-A9E4-00A0C9843176} (Pivotal Active Client Shortcut Context Menu Handler) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDACLNT.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16459f9b626798...ip/RdxIE601.cab
O16 - DPF: {59F03A40-54FD-11D3-BB80-0090275C9881} (RUIReport Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDARPRT.CAB
O16 - DPF: {5E2F4F92-71F9-11D3-BBFD-0090270F969B} (RCatalog Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAOBJCREATE.CAB
O16 - DPF: {5E2F4F94-71F9-11D3-BBFD-0090270F969B} (RInstantiator Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAOBJCREATE.CAB
O16 - DPF: {609017E1-19B8-11D3-A15E-00A0C9E7531E} (RSysClnt Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDACLNT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095912615145
O16 - DPF: {6B1B12A4-F2E0-11D3-96E9-00A0C9E7E899} (RDataFeedShim Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAOBJCREATE.CAB
O16 - DPF: {88856052-51C2-11D3-BBA4-009027655B04} (RUILetterExpress Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDALETEX.CAB
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {9D373AC2-680F-11D4-A094-005004A79108} (RResLocator Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDARES.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal Rn1SendX RXSession Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RN1SENDX.CAB
O16 - DPF: {AD11C500-70A8-11D3-BB7C-0090275CE8CF} (RUIPrefs Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAPREFS.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (RCreateResults Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\DFOUTILS.CAB
O16 - DPF: {B6E8E1DC-4EA3-11D3-96BC-00A0C9E7E899} (RUIPortal Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAPRTL.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\activexviewer.cab
O16 - DPF: {F932EFE9-32D9-11D3-A185-00A0C9E7531E} (RADC Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDACLNT.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clda.com
O17 - HKLM\Software\..\Telephony: DomainName = clda.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clda.com
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:07 AM

Posted 09 June 2005 - 12:43 PM

Hello davef and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R3 - Default URLSearchHook is missing
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16459f9b626798...ip/RdxIE601.cab

I could not find anything on the Active Access Installer. Unless you installed this program and know what it is you should remove these items also:O16 - DPF: {0A8A38F0-84F4-11D4-A0C5-005004A79108} (RColorScheme Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDASHARE.CAB
O16 - DPF: {256D3EA4-2401-11D3-849C-00A0C9E7EDB9} (RUIMaster Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAUI.CAB
O16 - DPF: {44971EC1-7439-11D3-BDE0-00A0C9F03484} (RChart2 Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDACHART.CAB
O16 - DPF: {468391E0-E986-11D3-A9E4-00A0C9843176} (Pivotal Active Client Shortcut Context Menu Handler) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDACLNT.CAB
O16 - DPF: {59F03A40-54FD-11D3-BB80-0090275C9881} (RUIReport Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDARPRT.CAB
O16 - DPF: {5E2F4F92-71F9-11D3-BBFD-0090270F969B} (RCatalog Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAOBJCREATE.CAB
O16 - DPF: {5E2F4F94-71F9-11D3-BBFD-0090270F969B} (RInstantiator Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAOBJCREATE.CAB
O16 - DPF: {609017E1-19B8-11D3-A15E-00A0C9E7531E} (RSysClnt Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDACLNT.CAB
O16 - DPF: {6B1B12A4-F2E0-11D3-96E9-00A0C9E7E899} (RDataFeedShim Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAOBJCREATE.CAB
O16 - DPF: {88856052-51C2-11D3-BBA4-009027655B04} (RUILetterExpress Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDALETEX.CAB
O16 - DPF: {9D373AC2-680F-11D4-A094-005004A79108} (RResLocator Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDARES.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal Rn1SendX RXSession Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RN1SENDX.CAB
O16 - DPF: {AD11C500-70A8-11D3-BB7C-0090275CE8CF} (RUIPrefs Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAPREFS.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (RCreateResults Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\DFOUTILS.CAB
O16 - DPF: {B6E8E1DC-4EA3-11D3-96BC-00A0C9E7E899} (RUIPortal Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDAPRTL.CAB
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\activexviewer.cab
O16 - DPF: {F932EFE9-32D9-11D3-A185-00A0C9E7531E} (RADC Class) - file://C:\Documents and Settings\Administrator\My Documents\Active Access Install\RDACLNT.CAB

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\System32\nvms.dll
C:\WINDOWS\System32\msbe.dll
C:\Program Files\BullsEye Network\ <--folder
C:\Program Files\NaviSearch\ <--folder

If you removed the Active Access Installer then delete this folder also:C:\Documents and Settings\Administrator\My Documents\Active Access Install\ <--folder
Step #5

Start CCleaner and click on the <b>Run Cleaner[/b] button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix" or "clean".

Step #7

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE v1.06:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Right-click on the list and choose Select All
  • Click the Next button to finish removing the items that were found
  • When finished, REBOOT to complete the removal of what Ad-Aware SE found
Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT

Edited by OldTimer, 09 June 2005 - 12:46 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 davef

davef
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 10 June 2005 - 10:52 AM

I am unable to start in safe mode, since this computer is locked by my IT department. They havent been much help with this problem, but I am locked out of starting this computer in safe mode.

can I do these operations starting this computer in normal mode?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users