Updated: 7/30/05ALL CURRENT UPDATES will be highlighted in RED. There's only one section that will always be RED (even if not updated) and that one is to tell users not to follow instructions for someone else's log. So if a new update is posted, the previous RED entries will back to the default black color and the newer updates will be in RED.ALL WHO ARE VIEWING: Do NOT attempt to do the fixes using the instructions given to someone else. Your log may look almost identical, but most likely they're not. Each log will need individual attention. In some cases, if you do a fix incorrectly, it may make matters worse. So please post your own log in the forum. The fix will/should apply to you only.This section of the forum will be used to post any spyware/adware or virus questions you may have. Please give the Subject field a descriptive name indicating your computer problem.
Things to do before posting:If you have a question on a certain virus, post that in the subject field. Before posting, please run an online virus scan in one or more from one or more of the sites listed below to see if they can remove it first:
BitDefenderOnline Trojan ScanPanda ActiveScanTrendMicroIf you have questions on spyware, please visit the
Anti-Spyware Tutorial for steps on how to correct some of the problems first. Then you may post a HijackThis log indicating your problem in the subject field. If you just want your log to be checked to see if it's clean or not, just type
HJT Checkup as the subject. Please DON'T edit anything in HijackThis. We need the whole log (including headers).
For all the log files that you post here, make sure to say that you have read the Anti-Spyware Tutorial section so I know you followed the instructions there already.
Please read through the instruction on what/how to fix in the logs. Make sure to print it out or copy it in Notepad since you shouldn't have any browsers open when doing the fixes. If you have any questions, do not do the fix yet. Ask the question and clear everything up before fixing.For those files/folders that needs to be deleted, you will sometimes see a tilde (
~1) after it. For example, I might tell you to delete the following folder:
C:\progra~1\intern~2\You see the ~1 and ~2 there? It's just using the old dos 8.3 filename/foldername convention. The ~1 and ~2 indicate which folder it is. You might have folders like Program Files (this is a legitimate folder) and Programs (let's say in this example that this is another folder you created). The progra~1 means the FIRST folder that begins with PROGRA, so it's the Program Files folder. If it says progra~2, it would have been the Programs folder. So the same applies to intern~2. It's the second folder that begins with INTERN. Most of us should have a folder called Internet Explorer in there and that would be intern~1 (most likely - unless there's a folder that goes before it).
There are a lot of programs out there and there is no way for us to keep track of every one that exists. So to help us analyze your log more quickly, please indicate the programs that you know about if they are not common (like server programs or applications that are work related). For example, let's just say the following program is not very common (just an example since the two below are very common). You would say something like:The MusicMatch program is a music player I use.
The LexmarkPrinTray (or just mention the exe file -> PrinTray.exe) is used for my printer
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
You don't have to do it for all of them. Just do it for the less used/known programs for the typical user - like company/work related programs is one example. Some programs may be used in your company only and I will have no idea what it's for. So indicate it before posting the HijackThis log.
Some log files will have a
017 entry in them. For example:
O17 - HKLM\System\CCS\Services\Tcpip\..\{F03A0CEF-4AD0-443F-B0DC-55692C98F09E}: NameServer = 192.168.0.1If this is the case, I want you to replace all those numbers with X's
ONLY if you know that they are correct. Tell us in the message that you used the X's to replace the numbers. This is just to prevent the IP addresses from showing up. If you are unsure whether it's safe to keep or not, post it here (exactly as it is). Say that you are unsure of it and we will take a look at it. If it's just an internal IP (like the example I gave above), you may leave it. It's no security risk at all since that's not your external IP address.
Problem solved and wrapping it up:If the problem is solved, please post back saying that it's solved. If the problem comes back after a couple of days, you may still reply to your old post. If it's over a week old, you might have to give us new logs. If you don't get a reply after 2 days, you may give the post a bump (moving it up). This is just in case I read it but forgot to reply to it. DON'T bump your message on top thinking it will be answered quicker. That won't happen. I answer from the oldest post to the newer/more recent ones. But if there's no reply, you should bump it since I might have missed it.
After you fix the problems, I recommend downloading a program called RegSeeker to clean out any junk entries in your registry. Just install it and click on 'Clean The Registry' in the left panel. Check all the boxes (make sure the backup box in the lower left corner is selected!). After it runs, click 'Select All' on the bottom. Then right-click on any selected item in the window and select 'Delete Selected Items'. Click 'Quit RegSeeker'.
To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.If you were asked to disable System Restore during the fix, make sure to enable System Restore (for ME/XP only) after everything is fixed.
Kevin.
