Post by: Guest_Kim on January 10, 2005, 10:16:42 PM
We have Spybot Version 1.2 and Ad-aware Version 6.0. I downloaded HijackThis and ran it, HOWEVER for some reason the machine is not recognizing the WRITE portion of the CD drive, therefore, we are unable to get you a copy of the log.
Is there anything you can do to help us?
Thanks,
Marc and Kim
Post by: guestolo on January 10, 2005, 10:20:22 PM
Can you try this for me
Can you get online with this laptop
If you can, try this
Can you Download Hijackthis 1.99
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT
Now you will have C:\HJT
Download Hijackthis from CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Let me know, can you accept email .exe files, I can mail the program to you if you can't get online with your browser
EDIT>>>If you have Internet connection
Try not to run Hijackthis from a CD
Save it to a Permanent folder on your laptops harddrive
Post by: Guest_Kim on January 10, 2005, 10:24:07 PM
We have already downloaded V1.99 of Hijackthis and installed it in a permanent folder. We have run the scan and saved it.
We can NOT access the internet with the laptop as the desktop.exe appears to be preventing AOL (our ISP) from operating.
Any other suggestions?
Post by: guestolo on January 10, 2005, 10:26:19 PM
Hijackthis log
I can supply my email address here for a short time
Email me the log if you can
If you register, I can PM you my email address, you won't be able to use the one I supplied to the forum
Post by: guestolo on January 10, 2005, 10:28:46 PM
If you look at the bottom of this thread it will show 2 users reading this topic
EDIT>>be right back
15 minutes
We'll figure out something, no worries
Post by: Guest_Kim on January 10, 2005, 10:32:17 PM
There are a couple of registry entries pointing to New.Net.Startup that are suspect. Could these be part of the problem? I have the laptop right here and could answer any questions you may have..
Post by: JaxUnicorn on January 10, 2005, 10:36:13 PM
Post by: guestolo on January 10, 2005, 10:36:17 PM
Can you Access your Add/Remove Programs and remove New.net Application or New.net Domains
Restart your computer afterwards
Let me know if you can get online afterwards
If not keep letting me know what you see in your log
Just let me know the 04 entries
EDIT>>>Hi JaxUnicorn
If still not Online
Could you download LSP fix.exe (http://\"http://www.cexx.org/LSPFix.exe\")
On the computer online
Transfer it to the other computer
Make sure you save it on the hard drive, don't run it from CD
Open LSP fix>>>Let me know what you see on the KEEP side
Also let me know what you see on the REMOVE side
Close out of there for now by using the X at the top
Post by: JaxUnicorn on January 10, 2005, 10:41:18 PM
Will type in some of the 04 entries for you in my next post.
Kim
Post by: JaxUnicorn on January 10, 2005, 10:46:40 PM
On the KEEP side: mswsock.dll, winrnr.dll and rsvpsp.dll
Nothing on the REMOVE side
You still want the 04 entries from HijackThis?
Post by: guestolo on January 10, 2005, 10:47:37 PM
To get this link to work properly you will have to Right click on it
Copy Shortcut
Paste it to IE's address bar and then click GO
Or if using Firefox Copy link location and paste to the address bar
Removed Link
Save the uninstaller to the desktop and run it>>follow the prompts and then restart your computer
Let me know the info from LSP fix also >>>thanx for the info
Be back in 15
Post by: JaxUnicorn on January 10, 2005, 10:58:22 PM
Post by: guestolo on January 10, 2005, 11:15:28 PM
But if you could
Open LSP fix, but this time click the FINISH button
RESTART your computer
If no go I will have to know what's running on your system
Here's an example from your log I've what I need to see
I don't need to see all the running processes
like this
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
Those running processes are ok, but let me know what others
you have
You don't have to type them all out but as an eg....
System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
Could you do something like
In this folder
system32
I have spoolsv.exe
svchost.exe
lsass.exe
.................................
Remember the above ones I don't need to see right now
Other
The R0's and the R1
Again you don't need to type them all out but let me know where there directing too
EG..R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
Let me know what address there linked too
The 04 entries are important to see
Eg.... O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
I don't need to see legitimate ones, unless your unsure
The 04 you could put in like this
Grisoft\AVGFRE~1\avgemc.exe
Program Files\SpywareGuard\sgmain.exe
Also go to Add/Remove Programs via Control Panel
Anything out of the Ordinary you don't recognize post it back
You don't have a USB thumbdrive do you, something that may work besides the CD
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: JaxUnicorn on January 10, 2005, 11:31:00 PM
Post by: guestolo on January 10, 2005, 11:35:53 PM
You may be missing something malicious
Your versions of Spybot and Ad-Aware are way out of date
Post by: Joeweeda on January 11, 2005, 01:55:31 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />http://www.power2source.com/index.php?ref_id=2058 (http://\"http://www.power2source.com/index.php?ref_id=2058\")