Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Hijack this log

Started by krazykat , Dec 01 2007 04:46 PM

  • This topic is locked This topic is locked
2 replies to this topic

#1 krazykat

krazykat

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 01 December 2007 - 04:46 PM

Hello,

Here is my hijack this log. I am posting my Hijack This log so that I can resolve an Ad-Aware SE scan. Here is the Ad-Awre SE scan:

2007/12/01 09:25:57:703: Switching to service version.
2007/12/01 09:25:59:890: OnitDialog...
2007/12/01 09:26:00:984: \\.\pipe\AdwareAlert.service.communication is the named pipe
2007/12/01 09:26:01:734: Contacting scanning service.
2007/12/01 09:26:01:921: Aquired scanning engine.
2007/12/01 09:26:01:921: Load Program Settings
2007/12/01 09:26:58:343: Found Item:
Type: trojan
SubType: dialer
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\realarea.biz (value: *)
2007/12/01 09:26:58:343: Found Item:
Type: trojan
SubType: dialer
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\realarea.biz
2007/12/01 09:26:58:375: Found Item:
Type: trojan-clicker
SubType: agent
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\analcord.com\www (value: *)
2007/12/01 09:26:58:375: Found Item:
Type: trojan-clicker
SubType: agent
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\analcord.com\www
2007/12/01 09:26:58:375: Found Item:
Type: trojan-clicker
SubType: agent
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\analcord.com (value: *)
2007/12/01 09:26:58:375: Found Item:
Type: trojan-clicker
SubType: agent
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\analcord.com
2007/12/01 09:26:58:375: Found Item:
Type: trojan-clicker
SubType: agent
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\gooogle.bz\www (value: *)
2007/12/01 09:26:58:375: Found Item:
Type: trojan-clicker
SubType: agent
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\gooogle.bz\www
2007/12/01 09:26:58:375: Found Item:
Type: trojan-clicker
SubType: agent
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\gooogle.bz (value: *)
2007/12/01 09:26:58:375: Found Item:
Type: trojan-clicker
SubType: agent
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\gooogle.bz
2007/12/01 09:26:58:375: Found Item:
Type: spyware
SubType: netbus pro
Location: d:\utilites\hlp_printer\hlp2text\setup.exe
2007/12/01 09:26:58:578: Setting Timer to Hide Splash
2007/12/01 09:26:59:093: Hiding Splash

WHAT I NEED TO RESOLVE:

1. Look at the last item in the above scan:

2007/12/01 09:26:58:375: Found Item:
Type: spyware
SubType: netbus pro
Location: d:\utilites\hlp_printer\hlp2text\setup.exe

This is a printer utility (allows hlp files to be printed as text files) that I have used many times. I am very sure it is not spyware!

Ad-Ware SE tek support says to do a remove all-- "If Ad-Ware detected it; it needs to be removed" is there attitude.

2. I asked Ad-Ware to remove a couple of the other items:
2007/12/01 09:26:58:375: Found Item:
Type: trojan-clicker
SubType: agent
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\gooogle.bz\www (value: *)
2007/12/01 09:26:58:375: Found Item:
Type: trojan-clicker
SubType: agent
Location: hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\gooogle.bz\www

Ad-Ware says they are removed, but a re-scan produces the same list. The items that were supposed to be removed are still there.

How do I remove permanently? Ad-Ware support did not know why they re-appeared.

3 Does the Hijack This log show the same items as the Ad-Ware SE scan?


HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:50 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\AdwareAlert\AdwareAlertSrv.srv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
D:\UTILITES\Acronis_True_Image_9b36779(070907)\TimounterMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\UTILITES\SpySweeperFull\Spysweeper5_5_1b3356(062307)\INSTALL_5_5_1b3356(071507)\Spy Sweeper\SpySweeperUI.exe
F:\Ashampoo_2002_2003\UIWatcher.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Sea_Monkey_1_1_2(070407)\SeaMonkey.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
D:\UTILITES\SpySweeperFull\Spysweeper5_5_1b3356(062307)\INSTALL_5_5_1b3356(071507)\Spy Sweeper\SpySweeper.exe
C:\Program Files\AdwareAlert\AdwareAlert.exe
E:\NikonPictureProject175\NkbMonitor.exe
F:\ExplorerPlus_6_2_0(090107)\Nxdlghlp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\UTILITES\SpySweeperFull\Spysweeper5_5_1b3356(062307)\INSTALL_5_5_1b3356(071507)\Spy Sweeper\SSU.EXE
F:\ExplorerPlus_6_2_0(090107)\NxExplo.exe
D:\UTILITES\HIjack_this\Hijack_This_Program_V202(120107)\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] "C:\WINDOWS\system32\JMRaidSetup.exe" boot
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\UTILITES\Acronis_True_Image_9b36779(070907)\TimounterMonitor.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "D:\UTILITES\SpySweeperFull\Spysweeper5_5_1b3356(062307)\INSTALL_5_5_1b3356(071507)\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [UIWatcher] F:\Ashampoo_2002_2003\UIWatcher.exe
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "d:\Sea_Monkey_1_1_2(070407)\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdwareAlert] "C:\Program Files\AdwareAlert\AdwareAlert.exe" -boot
O4 - Startup: Dialog Tracker.lnk = F:\ExplorerPlus_6_2_0(090107)\Nxdlghlp.exe
O4 - Global Startup: NkbMonitor.exe.lnk = E:\NikonPictureProject175\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\OFFICE~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\OFFICE~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1184199298234
O23 - Service: AdwareAlert Scanning Engine (AdwareAlertSrv) - Unknown owner - C:\Program Files\AdwareAlert\AdwareAlertSrv.srv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\UTILITES\SpySweeperFull\Spysweeper5_5_1b3356(062307)\INSTALL_5_5_1b3356(071507)\Spy Sweeper\SpySweeper.exe

--
End of file - 5605 bytes


THANKS, krazykat

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 14 December 2007 - 07:00 PM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------

    [*]Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
    [*] WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
    [*]Please do not re-connect your machine back to the Internet until Combofix has completely finished.
    [/list]--------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 31 December 2007 - 09:59 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·