|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
January 18th, 2004, 11:58 AM
|
||||
|
||||
Please review my Log
Hey everyone, I have Spyware Guard and SpyBlaster running. I have AVG doing a scan this morning, and it located 3 viruses.. they were called BackDoor.Ad....something. AVG said that it healed the 3 issues, and I wanted to make sure. This is my log.
Logfile of HijackThis v1.97.6 Scan saved at 10:53:31 AM, on 1/18/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\carpserv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\System32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cidaemon.exe C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE C:\Documents and Settings\Tracy Dexter\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r3.attbi.com:8000 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r3.attbi.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/ O1 - Hosts: 203.161.127.141 www.dcsresearch.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [COMMUNICATE! PRO 5.0 IBM] C:\Program Files\COMMUNICATE! PRO 5\bin\setupibm.exe O4 - HKCU\..\Run: [MoneyAgent] ""C:\Program Files\Microsoft Money\System\Money Express.exe"" O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\TRACYD~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\" O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Broadband Networking.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Create Mobile Favorite (HKLM) O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
__________________
7th ID - 101st Airborne - 75th Ranger Rgt / 2nd Ranger Bn Panama-Operation Just Cause, Persion Gulf-Desert Shield/Storm, Somalia-Operation Restore Hope/Continue Hope/United Shield, Bosnia, Kosovo |
|
#2
January 18th, 2004, 12:22 PM
|
||||
|
||||
|
Re:Please review my Log
Hi SuaSponte,
No active malware in your log. You can change this line in your hosts file 203.161.127.141 www.dcsresearch.com to 64.91.255.87 www.dcsresearch.com which is the new IP of the DiamondCS forums. The hosts file in XP is located here: C:\WINDOWS\system32\drivers\etc\hosts It's a file without extension and you can open it in notepad. Then edit and save. Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#3
January 18th, 2004, 01:31 PM
|
||||
|
||||
|
Re:Please review my Log
Just got a pop-up notification of the same thing. It told me to run AVG again. I wasn't even logged into the computer this time.
BackDoor.Adware.A Trojan is what it was telling me about.
__________________
7th ID - 101st Airborne - 75th Ranger Rgt / 2nd Ranger Bn Panama-Operation Just Cause, Persion Gulf-Desert Shield/Storm, Somalia-Operation Restore Hope/Continue Hope/United Shield, Bosnia, Kosovo |
|
#4
January 18th, 2004, 01:35 PM
|
||||
|
||||
|
Re:Please review my Log
Hi SuaSponte,
Can you please tell us where this is found? Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#5
January 18th, 2004, 02:06 PM
|
||||
|
||||
|
Re:Please review my Log
So far, this is what was found:
Positive ID: TrojanDownloader.Win32.AdGoblin Path: c\documents and settings\tracy dexter\local settings\temp Positive ID (embedded in file): TrojanDownloader.Win32.AdGoblin Path: c\documents and settings\tracy dexter\local settings\temp\temporary directory 2 for hijackthis.zip Name: file backup-20040106-83554-449.DLL Positive ID (DLL): Adware.AdGoblin (DLL) Path: c\documents and settings\tracy dexter\local settings\temp\temporary directory 2 for hijackthis.zip Name: file backup-20040106-83554-449.DLL Suspicious Filename: Dual Extensions Path: c\documents and settings\tracydexter\my documents\downloads Name: trillian-v0.74d.exe TDS-3 crashed shortly afterwards.
__________________
7th ID - 101st Airborne - 75th Ranger Rgt / 2nd Ranger Bn Panama-Operation Just Cause, Persion Gulf-Desert Shield/Storm, Somalia-Operation Restore Hope/Continue Hope/United Shield, Bosnia, Kosovo |
|
#6
January 18th, 2004, 02:51 PM
|
||||
|
||||
|
Pop-Up Window Says:
Virus
Trojan horse BackDoor.Adbreak.A Found in: C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP119\A0014786.dll
__________________
7th ID - 101st Airborne - 75th Ranger Rgt / 2nd Ranger Bn Panama-Operation Just Cause, Persion Gulf-Desert Shield/Storm, Somalia-Operation Restore Hope/Continue Hope/United Shield, Bosnia, Kosovo |
|
#7
January 18th, 2004, 02:53 PM
|
||||
|
||||
|
Re:Please review my Log
Hi SuaSponte,
TDS found the backups HijackThis made.  The Local Settings folder they are in is hidden by default. Check here how to "unhide" hidden files and folders: http://www.tacktech.com/display.cfm?ttid=192 You can empty the entire Temp folder. The alarm on the Trillian file is cause by the multiple "." in the filename. That could be double extensions, which are often used to fool people into believing a file is something different then it really is. You can ignore that one. Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#8
January 18th, 2004, 04:09 PM
|
||||
|
||||
|
Re:Please review my Log
I deleted everything in the Temp folder, but the notification window still comes up
__________________
7th ID - 101st Airborne - 75th Ranger Rgt / 2nd Ranger Bn Panama-Operation Just Cause, Persion Gulf-Desert Shield/Storm, Somalia-Operation Restore Hope/Continue Hope/United Shield, Bosnia, Kosovo |
|
#9
January 18th, 2004, 04:13 PM
|
||||
|
||||
|
Re:Pop-Up Window Says:
Quote:
Because it is in your System Restore Points: Disable System Restore, reboot, re-enable System Restore, scan to make sure you are clean and make a Manual Restore Point. Explanation with screenshots can be found here: http://service1.symantec.com/SUPPORT...rc=sec_doc_nam Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#10
January 18th, 2004, 05:39 PM
|
||||
|
||||
|
Re:Please review my Log
I think that fixed it
Now I just need to fix TDS... get it to stop crashing halfway through the Full scan
__________________
7th ID - 101st Airborne - 75th Ranger Rgt / 2nd Ranger Bn Panama-Operation Just Cause, Persion Gulf-Desert Shield/Storm, Somalia-Operation Restore Hope/Continue Hope/United Shield, Bosnia, Kosovo |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
