Please review my Log

Discussion in 'adware, spyware & hijack cleaning' started by SuaSponte, Jan 18, 2004.

Thread Status:
Not open for further replies.
  1. SuaSponte

    SuaSponte Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    16
    Location:
    USA - Dallas, Texas
    Hey everyone, I have Spyware Guard and SpyBlaster running. I have AVG doing a scan this morning, and it located 3 viruses.. they were called BackDoor.Ad....something. AVG said that it healed the 3 issues, and I wanted to make sure. This is my log.



    Logfile of HijackThis v1.97.6
    Scan saved at 10:53:31 AM, on 1/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\Documents and Settings\Tracy Dexter\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r3.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r3.attbi.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [COMMUNICATE! PRO 5.0 IBM] C:\Program Files\COMMUNICATE! PRO 5\bin\setupibm.exe
    O4 - HKCU\..\Run: [MoneyAgent] ""C:\Program Files\Microsoft Money\System\Money Express.exe""
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\TRACYD~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi SuaSponte,

    No active malware in your log.

    You can change this line in your hosts file
    203.161.127.141 www.dcsresearch.com
    to
    64.91.255.87 www.dcsresearch.com
    which is the new IP of the DiamondCS forums.

    The hosts file in XP is located here:
    C:\WINDOWS\system32\drivers\etc\hosts
    It's a file without extension and you can open it in notepad. Then edit and save.

    Regards,

    Pieter
     
  3. SuaSponte

    SuaSponte Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    16
    Location:
    USA - Dallas, Texas
    Just got a pop-up notification of the same thing. It told me to run AVG again. I wasn't even logged into the computer this time.

    BackDoor.Adware.A Trojan is what it was telling me about.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi SuaSponte,

    Can you please tell us where this is found?

    Regards,

    Pieter
     
  5. SuaSponte

    SuaSponte Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    16
    Location:
    USA - Dallas, Texas
    So far, this is what was found:

    Positive ID: TrojanDownloader.Win32.AdGoblin
    Path: c\documents and settings\tracy dexter\local settings\temp

    Positive ID (embedded in file): TrojanDownloader.Win32.AdGoblin
    Path: c\documents and settings\tracy dexter\local settings\temp\temporary directory 2 for hijackthis.zip
    Name: file backup-20040106-83554-449.DLL

    Positive ID (DLL): Adware.AdGoblin (DLL)
    Path: c\documents and settings\tracy dexter\local settings\temp\temporary directory 2 for hijackthis.zip
    Name: file backup-20040106-83554-449.DLL

    Suspicious Filename: Dual Extensions
    Path: c\documents and settings\tracydexter\my documents\downloads
    Name: trillian-v0.74d.exe

    TDS-3 crashed shortly afterwards.
     
  6. SuaSponte

    SuaSponte Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    16
    Location:
    USA - Dallas, Texas
    Pop-Up Window Says:

    Virus
    Trojan horse BackDoor.Adbreak.A

    Found in: C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP119\A0014786.dll
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi SuaSponte,

    TDS found the backups HijackThis made. :)

    The Local Settings folder they are in is hidden by default.
    Check here how to "unhide" hidden files and folders: http://www.tacktech.com/display.cfm?ttid=192

    You can empty the entire Temp folder.

    The alarm on the Trillian file is cause by the multiple "." in the filename. That could be double extensions, which are often used to fool people into believing a file is something different then it really is.
    You can ignore that one.

    Regards,

    Pieter
     
  8. SuaSponte

    SuaSponte Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    16
    Location:
    USA - Dallas, Texas
    I deleted everything in the Temp folder, but the notification window still comes up
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re:pop-Up Window Says:

    Because it is in your System Restore Points:
    Disable System Restore, reboot, re-enable System Restore, scan to make sure you are clean and make a Manual Restore Point.

    Explanation with screenshots can be found here:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

    Regards,

    Pieter
     
  10. SuaSponte

    SuaSponte Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    16
    Location:
    USA - Dallas, Texas
    I think that fixed it

    Now I just need to fix TDS... get it to stop crashing halfway through the Full scan
     
Thread Status:
Not open for further replies.