Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

TK895 HJT Log 4-4-06

Started by Tk895 Michael , Apr 04 2006 08:31 AM

  • This topic is locked This topic is locked
15 replies to this topic

#1 Tk895 Michael

Tk895 Michael

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 04 April 2006 - 08:31 AM

Here is the log I just ran:

Logfile of HijackThis v1.99.1
Scan saved at 9:21:09 AM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Documents and Settings\Michael\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Dell Home - {70552DA0-FB8C-11D3-B245-00B0D04BD95C} - http://smbusiness.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .HTF: C:\PROGRA~1\INTERN~1\Plugins\NPIMGVIE.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8C3DA7-38E7-4453-A021-54CA1F232F0F}: Domain = GMADOM05754
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8C3DA7-38E7-4453-A021-54CA1F232F0F}: NameServer = 10.205.1.100,10.205.1.200
O20 - Winlogon Notify: wincrj32 - C:\WINDOWS\SYSTEM32\wincrj32.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



I have been getting alerts from Zone Alarm about silentdialer every day. Many times it alerts multiple times each day. this just started and I can't seem to find the problem.

    Advertisements

Register to Remove

#2 Tk895 Michael

Tk895 Michael

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 04 April 2006 - 09:04 AM

I just got another scan from ZA - the virus that keeps popping up is Win32.SilentCaller.V The scan status says it has been treated, the risk was high, the file is in the windows/TEMP/ folder and the filename is differant each time. The last two were jakninmd.exe and egekkomd.exe. After the scan results message I check and the files are not in that directory. Now I want to find what is causing these. Any help is welcome. Thanks

#3 Tk895 Michael

Tk895 Michael

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 04 April 2006 - 12:18 PM

Product name Universa Application File name c:\WINDOWS\TEMP\winE7D.tmp.exe Last policy update Not applicable Version 1, 0, 0, 1 Last modified date 3/31/2006 16:07:04 File size 13 KB This file keeps trying to do things. The file name changes each time. The E7D section becomes something else each time but the rest stays the same. Product name Universa Application File name c:\WINDOWS\TEMP\winF70.tmp.exe Last policy update Not applicable Version 1, 0, 0, 1 Last modified date 4/4/2006 12:14:44 File size 13 KB I just want to find out where it's coming from and kill it. :)

#4 Tk895 Michael

Tk895 Michael

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 07 April 2006 - 02:17 PM

bump - anyone see anything bad in this log?

#5 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 April 2006 - 04:44 PM

Hello Tk895 Michael, welcome to the TC Forum.

I don't see a Anti-Virus program.

Click the link and Save, Install, Update and run a full scan.
http://free.grisoft....ree_375a691.exe

Reboot:

Download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Please download the trial version of ewido anti-malware 3.5 here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.


While still in Safe Mode:

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O20 - Winlogon Notify: wincrj32 - C:\WINDOWS\SYSTEM32\wincrj32.dll

Close ALL windows and browsers except HijackThis and click "Fix checked"



Open C:\Windows\Prefetch\ Delete ALL files in this folder.



Do this also if these Temp Folders are part of your OS.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


Next navigate to the C:\Documents and Settings\(EVERY LISTED PROFILE USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Edited by LDTate, 11 April 2006 - 04:44 PM.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#6 Tk895 Michael

Tk895 Michael

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 11 April 2006 - 06:23 PM

Thanks for responding, :) I have Zone Alarm Suite with Antivirus and Antispam along with the other tools. I also run Spybot S&D manually. I will try your suggestions in the morning when I get back to work. I do believe I found the issue. I will post that also in the morning.

Edited by Tk895 Michael, 11 April 2006 - 06:27 PM.

#7 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 April 2006 - 06:28 PM

OK :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 17 April 2006 - 03:10 PM

How are you doing with the fix?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 Tk895 Michael

Tk895 Michael

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 18 April 2006 - 01:49 PM

Ok, sorry for the delay.

I ran Vundo - nothing found :)

Safe Mode:

ran ewido -

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:21:32 PM, 4/18/2006
+ Report-Checksum: A3B1223F

+ Scan result:

C:\Documents and Settings\admin\Cookies\anyuser@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\admin\Cookies\anyuser@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\admin\Cookies\anyuser@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\admin\Cookies\anyuser@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@ads.x10[1].txt -> TrackingCookie.X10 : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@ads.x10[3].txt -> TrackingCookie.X10 : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@atdmt[3].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@bis.180solutions[1].txt -> TrackingCookie.180solutions : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@commission-junction[1].txt -> TrackingCookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@gm.preferences[1].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@preferences[1].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\admin\Cookies\techuser01@zedo[3].txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\4wa2ej9k.slt\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@vdn.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\Michael\Desktop\hjt\backups\backup-20060404-090310-274.dll -> Adware.MediaTickets : Cleaned with backup
C:\WINDOWS\SYSTEM32\ld1ACA.tmp -> Downloader.Zlob.jt : Cleaned with backup
C:\WINDOWS\SYSTEM32\oins.exe -> Downloader.PurityScan.bt : Cleaned with backup


::Report End



Ran HJT -

Logfile of HijackThis v1.99.1
Scan saved at 2:27:00 PM, on 4/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Michael\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8C3DA7-38E7-4453-A021-54CA1F232F0F}: Domain = GMADOM05754
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8C3DA7-38E7-4453-A021-54CA1F232F0F}: NameServer = 10.205.1.100,10.205.1.200
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Cleared prefetch and temp files

The original issue has been gone for a while but I'm hoping that nothing remains.

Do the logs look OK?

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 18 April 2006 - 02:20 PM

Can you post a HJT log in Normal Mode plese?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove

#11 Tk895 Michael

Tk895 Michael

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 18 April 2006 - 03:02 PM

Logfile of HijackThis v1.99.1 Scan saved at 3:54:17 PM, on 4/18/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ZoneLabs\isafe.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\devldr32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Michael\Desktop\hjt\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm O1 - Hosts: 216.19.0.250 idenupdate.motorola.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8C3DA7-38E7-4453-A021-54CA1F232F0F}: Domain = GMADOM05754 O17 - HKLM\System\CCS\Services\Tcpip\..\{FA8C3DA7-38E7-4453-A021-54CA1F232F0F}: NameServer = 10.205.1.100,10.205.1.200 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 18 April 2006 - 03:11 PM

It doesn't look like you have a Anti-Viruse program:

Click the link and Save, Install, Update and run a full scan.
http://free.grisoft....ree_375a691.exe


Good Job :thumbup:

Log looks good :D :thumbup: How is it running any issues?

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.





If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#13 Tk895 Michael

Tk895 Michael

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 18 April 2006 - 03:22 PM

It doesn't look like you have a Anti-Viruse program:



Thanks for the help!

Zone Alarm Suite 6.0 has AntiVirus, AntiSpyware and a very nice firewall solution. The firewall is not usually running but the program controls are. I am behind a corporate firewall.

Thanks again.

#14 Tk895 Michael

Tk895 Michael

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 18 April 2006 - 03:29 PM

You can check out the product here:

http://www.zonelabs....=en&lid=ho_zass

#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 18 April 2006 - 03:31 PM

You can check out the product here:

http://www.zonelabs....=en&lid=ho_zass

Thanks, I'll have to remember that :thumbup:


Great job :thumbup:

You're more then welcome.
Glad we were able to help

Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·