Author Topic: How to clean a virus  (Read 7851 times)

0 Members and 1 Guest are viewing this topic.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:How to clean a virus
« Reply #15 on: December 08, 2004, 02:34:09 PM »
HijackThis doesn't say if something is bad or not. That is for the user to find out.

sgrbrlnd

  • Guest
Re:How to clean a virus
« Reply #16 on: December 08, 2004, 02:48:53 PM »
Lee16,  
this seems an opinion................This entry was analyzed  in a Hijack forum  where no exception  was arised  about  it !

http://forums.net-integration.net/index.php?showtopic=24919
« Last Edit: December 08, 2004, 02:53:39 PM by sgrbrlnd »

whocares

  • Guest
Re:How to clean a virus
« Reply #17 on: December 08, 2004, 02:55:02 PM »
lee,
lookup the respective RegKey on your machine, and you'll probably find "Links" as entry there

could this mean "collegamenti" in italian ? (just guessing ;) )

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:How to clean a virus
« Reply #18 on: December 08, 2004, 02:58:13 PM »
collegamenti means connections.

sgrbrlnd

  • Guest
Re:How to clean a virus
« Reply #19 on: December 08, 2004, 03:11:25 PM »
Collegamenti means both connections and links......
in this case it means  "links"






« Last Edit: December 09, 2004, 10:32:53 PM by sgrbrlnd »

lee16

  • Guest
Re:How to clean a virus
« Reply #20 on: December 08, 2004, 03:21:12 PM »
Mabey i didn't make myself clear  :)

I checked the log with an analyser first, saw it was the only entry that was listed as 'bad' so i did some research on it, and it seemed bad, so i suggested to remove it, but ofcourse it was an opinon, it looked bad to me really, but if its good there is a simply solution, don't remove/fix it  ;)

But i do know that its not always hijacker on R0, as my log has them to (see below)

Logfile of HijackThis v1.98.2
Scan saved at 14:19:51, on 08/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\MrPostman\wrapper\wrapper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kieron\My Documents\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Kieron\Application Data\Mozilla\Profiles\default\mrbif5hs.slt\prefs.js)
O1 - Hosts: 82.129.40.116 irc.westwood.com
O1 - Hosts: 82.129.40.116 servserv.westwood.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PowerVRUninstall] C:\WINDOWS\pmxreg.exe -setupUninstall
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\system32\pmxinit.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Kieron\Application Data\Mozilla\Firefox\Profiles\2nlsvz7t.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Kieron\Application Data\Mozilla\Firefox\Profiles\2nlsvz7t.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab


--lee


Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:How to clean a virus
« Reply #21 on: December 08, 2004, 03:25:09 PM »
R0, R1, R2, R3 - IE Start & Search page
What it looks like:

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page=http://www.google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL=http://www.google.com/
R3 - Default URLSearchHook is missing
What to do:
If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it.
For the R3 items, always fix them unless it mentions a program you recognize, like Copernic.
« Last Edit: December 08, 2004, 03:25:34 PM by Eddy »