Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[Referred]Derbiz again [RESOLVED]

Started by Wigster78 , Apr 29 2005 10:22 AM

  • This topic is locked This topic is locked

#1
Wigster78
Posted 29 April 2005 - 10:22 AM

Wigster78

    Member

  • Member
  • PipPip
  • 17 posts
Hey,

Am getting a pop up for derbiz and it is setting itself as my home page. PLus pop ups. Have run ad-aware, spy-bot and recently used ET remover to get rid of the elite bar.
My Hijack this thing is this.


HJT logfile removed: Not requested

Edited by Andy_veal, 29 April 2005 - 10:26 AM.

  • 0

Advertisements

#2
Rawe
Posted 29 April 2005 - 10:27 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
HiJackThis logs go to Malware forums, Ad-aware logs comes here.
If you need help with this log which you posted, you should start a topic at Malware forums.
If you need help otherwise, I would suggest you to post your Ad-aware log in this topic..

- Rawe :tazz:
  • 0

#3
Guest_Andy_veal_*
Posted 29 April 2005 - 10:30 AM

Guest_Andy_veal_*
  • Guest
Hello and Welcome

Ad-aware SE build 1.05 is the most current version,

As you are not using Ad-aware SE, Please could you download it

Just make sure you uninstall any old version of Ad-Aware before installing SE. After installing SE, then update your definition file * SE1R42 28.04.2005 *.

In order to assist you, we need to see the log from an Ad-Aware SE 1.05 full system scan.

Important Note! Before performing a scan, be sure that you have the most recent definitions file by using WebUpdate. (Click on the Globe icon, Click connect, Click OK, Click Finish.) At this current point * SE1R42 28.04.2005 * is the most recent definition file.

Ad-Aware SE comes preconfigured with default options so we need you to make only one change. Please deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat. This option can be changed when choosing your scan type.

Select "Perform Full System Scan" and press "Next". When the scan has completed, click "Show Logfile".

Please copy/paste the complete log file here using the reply button. Don't quarantine or remove anything at this time, just post a complete logfile. This sometimes takes 2-3 posts to get it all posted. You will know you are at the end when you see the "Summary of this scan" information has been posted.

When you have posted your log here, Team Lavasoft can advise on what to do next.

Please post back if you have any questions or other problems.

Good luck

Andy
  • 0

#4
Wigster78
Posted 04 May 2005 - 09:43 AM

Wigster78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
This is the logfile

Ad-Aware SE Build 1.05
Logfile Created on:04 May 2005 16:33:33
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R8 13.09.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie(TAC index:3):19 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


04-05-2005 16:33:33 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 144
ThreadCreationTime : 04-05-2005 07:29:23
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 168
ThreadCreationTime : 04-05-2005 07:29:42
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 164
ThreadCreationTime : 04-05-2005 07:29:45
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 216
ThreadCreationTime : 04-05-2005 07:29:46
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 228
ThreadCreationTime : 04-05-2005 07:29:46
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 396
ThreadCreationTime : 04-05-2005 07:29:51
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 424
ThreadCreationTime : 04-05-2005 07:29:51
BasePriority : Normal
FileVersion : 2.2.1.004
ProductVersion : 2.2.1.004
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 452
ThreadCreationTime : 04-05-2005 07:29:53
BasePriority : Normal
FileVersion : 2.2.1.004
ProductVersion : 2.2.1.004
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:9 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 552
ThreadCreationTime : 04-05-2005 07:29:54
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:10 [trcboot.exe]
FilePath : C:\WINNT\System32\drivers\
ProcessID : 580
ThreadCreationTime : 04-05-2005 07:29:54
BasePriority : Normal


#:11 [asfagent.exe]
FilePath : C:\Program Files\Intel\ASF Agent\
ProcessID : 644
ThreadCreationTime : 04-05-2005 07:30:07
BasePriority : Normal
FileVersion : 3.0
ProductVersion : 3.0
ProductName : Intel® PRO Alerting Suite ASF 1.0 Compatible
CompanyName : Intel Corporation
FileDescription : ASF Agent COM Service
InternalName : ASFAgent
LegalCopyright : Copyright © 2000-2002 Intel Corporation
OriginalFilename : ASFAgent.EXE

#:12 [defwatch.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 676
ThreadCreationTime : 04-05-2005 07:30:07
BasePriority : Normal
FileVersion : 9.0.2.1000
ProductVersion : 9.0.2.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright 1998 - 2004 Symantec Corporation. All rights reserved.
OriginalFilename : DefWatch.exe

#:13 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 692
ThreadCreationTime : 04-05-2005 07:30:07
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:14 [ldlcserv.exe]
FilePath : C:\WINNT\System32\drivers\
ProcessID : 720
ThreadCreationTime : 04-05-2005 07:30:08
BasePriority : Normal


#:15 [rtvscan.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 840
ThreadCreationTime : 04-05-2005 07:30:12
BasePriority : Normal
FileVersion : 7.60.00.926
ProductVersion : 7.60.00.926
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus
LegalCopyright : Copyright © Symantec Corporation 1991-2000

#:16 [radexecd.exe]
FilePath : C:\Program Files\Novadigm\
ProcessID : 864
ThreadCreationTime : 04-05-2005 07:30:15
BasePriority : Normal
FileVersion : 3,1,0,0
ProductVersion : 3.1.0
ProductName : Radia®
CompanyName : Novadigm
FileDescription : radexecd
InternalName : radexecd
LegalCopyright : © Novadigm, Inc. 1993 - 2002 All rights reserved.
OriginalFilename : radexecd.exe
Comments : Radia® Notify Daemon(Windows NT)

#:17 [radsched.exe]
FilePath : C:\Program Files\Novadigm\
ProcessID : 896
ThreadCreationTime : 04-05-2005 07:30:17
BasePriority : Normal
FileVersion : 3,1,0,0
ProductVersion : 3.1.0
ProductName : Radia®
CompanyName : Novadigm
FileDescription : radsched
InternalName : radsched
LegalCopyright : © Novadigm, Inc. 1993 - 2002 All rights reserved.
OriginalFilename : radsched.exe
Comments : Radia® Scheduler Daemon(Windows NT)

#:18 [radstgms.exe]
FilePath : C:\Program Files\Novadigm\
ProcessID : 908
ThreadCreationTime : 04-05-2005 07:30:17
BasePriority : Normal
FileVersion : 3,1,1,0
ProductVersion : 3.1.1
ProductName : Radia®
CompanyName : Novadigm
FileDescription : radstgms
InternalName : radstgms
LegalCopyright : © Novadigm, Inc. 1993 - 2003 All rights reserved.
OriginalFilename : radstgms.exe
Comments : Radia® MSI Redirector for Windows NT, Windows 2000 & Windows XP

#:19 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 920
ThreadCreationTime : 04-05-2005 07:30:19
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:20 [savroam.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 936
ThreadCreationTime : 04-05-2005 07:30:19
BasePriority : Normal
FileVersion : 9.0.2.1000
ProductVersion : 9.0.2.1000
ProductName : Symantec SAVRoam
CompanyName : symantec
FileDescription : SAVRoam
InternalName : SAVRoam
LegalCopyright : Copyright 2002 - 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SAVRoam.exe

#:21 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 976
ThreadCreationTime : 04-05-2005 07:30:20
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:22 [rtvscan.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 1004
ThreadCreationTime : 04-05-2005 07:30:21
BasePriority : Normal
FileVersion : 9.0.2.1000
ProductVersion : 9.0.2.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:23 [mspmspsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1056
ThreadCreationTime : 04-05-2005 07:30:23
BasePriority : Normal
FileVersion : 7.10.00.3059
ProductVersion : 7.10.00.3059
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:24 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1068
ThreadCreationTime : 04-05-2005 07:30:23
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:25 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 1232
ThreadCreationTime : 04-05-2005 07:30:27
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:26 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1684
ThreadCreationTime : 04-05-2005 07:31:02
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:27 [hkcmd.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1508
ThreadCreationTime : 04-05-2005 07:31:12
BasePriority : Normal
FileVersion : 3,0,0,1715
ProductVersion : 7,0,0,1715
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : HKCMD.EXE

#:28 [point32.exe]
FilePath : C:\Program Files\Microsoft Hardware\Mouse\
ProcessID : 1520
ThreadCreationTime : 04-05-2005 07:31:13
BasePriority : Normal


#:29 [vptray.exe]
FilePath : C:\PROGRA~1\SYMANT~1\
ProcessID : 1744
ThreadCreationTime : 04-05-2005 07:31:14
BasePriority : Normal
FileVersion : 9.0.2.1000
ProductVersion : 9.0.2.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:30 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1776
ThreadCreationTime : 04-05-2005 07:31:15
BasePriority : Normal
FileVersion : 2.2.1.004
ProductVersion : 2.2.1.004
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:31 [ctfmon.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1492
ThreadCreationTime : 04-05-2005 07:31:20
BasePriority : Normal
FileVersion : 1.00.2409.7 built by: Lab06_N
ProductVersion : 1.00.2409.7
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Cicero Loader
InternalName : CICLOAD
LegalCopyright : Copyright © Microsoft Corporation. 1981-2001
OriginalFilename : CICLOAD.EXE

#:32 [faxctrl.exe]
FilePath : C:\Program Files\RightFAX\
ProcessID : 1940
ThreadCreationTime : 04-05-2005 07:31:26
BasePriority : Normal
FileVersion : 7, 2, 0, 101
ProductVersion : 7, 2, 0, 101
ProductName : RightFAX, Inc.
CompanyName : RightFAX, Inc.
FileDescription : RightFAX 32-bit Windows Tray-Fax
InternalName : FAXCTRL
LegalCopyright : Copyright © 1995-1999, RightFAX, Inc.

#:33 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1968
ThreadCreationTime : 04-05-2005 07:31:27
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:34 [pktray.exe]
FilePath : C:\Program Files\PKWARE\PKZIPM\7.10.0009\
ProcessID : 1904
ThreadCreationTime : 04-05-2005 07:31:34
BasePriority : Normal
FileVersion : 1.00.0062.0
ProductVersion : 7.10.0009
ProductName : PKZIP for Windows
CompanyName : PKWARE, Inc.
FileDescription : E-Mail Attchment Compression Tray Module
InternalName : PKTRAY
LegalCopyright : Copyright © 2001-2003 PKWARE, Inc.
LegalTrademarks : PKWARE, PKZIP, PKUNZIP, and PKSFX are registered trademarks of PKWARE, Inc.
OriginalFilename : PKTRAY.EXE

#:35 [outlook.exe]
FilePath : C:\Program Files\Microsoft Office\OFFICE11\
ProcessID : 1628
ThreadCreationTime : 04-05-2005 10:41:57
BasePriority : Normal


#:36 [javaw.exe]
FilePath : C:\Program Files\JavaSoft\JRE\1.3.1\bin\
ProcessID : 664
ThreadCreationTime : 04-05-2005 11:39:58
BasePriority : Normal


#:37 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 628
ThreadCreationTime : 04-05-2005 15:11:53
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:38 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1692
ThreadCreationTime : 04-05-2005 15:30:41
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : wigmanj@serving-sys[1].txt
Category : Data Miner
Comment : Hits:21
Value : Cookie:[email protected]/
Expires : 01-01-2038 06:00:00
LastSync : Hits:21
UseCount : 0
Hits : 21

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
Category : Data Miner
Comment : Hits:11
Value : Cookie:[email protected]/
Expires : 02-05-2015 08:54:08
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : wigmanj@zedo[2].txt
Category : Data Miner
Comment : Hits:308
Value : Cookie:[email protected]/
Expires : 27-04-2015 12:17:48
LastSync : Hits:308
UseCount : 0
Hits : 308

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : wigmanj@questionmarket[1].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:[email protected]/
Expires : 20-06-2006 07:49:42
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : wigmanj@tribalfusion[2].txt
Category : Data Miner
Comment : Hits:12
Value : Cookie:[email protected]/
Expires : 01-01-2038 01:00:00
LastSync : Hits:12
UseCount : 0
Hits : 12

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : wigmanj@fastclick[1].txt
Category : Data Miner
Comment : Hits:11
Value : Cookie:[email protected]/
Expires : 03-05-2007 14:19:56
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : wigmanj@revenue[2].txt
Category : Data Miner
Comment : Hits:11
Value : Cookie:[email protected]/
Expires : 10-06-2022 06:05:42
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
Category : Data Miner
Comment : Hits:14
Value : Cookie:[email protected]/
Expires : 05-05-2005 06:00:00
LastSync : Hits:14
UseCount : 0
Hits : 14

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
Category : Data Miner
Comment : Hits:51
Value : Cookie:[email protected]/
Expires : 05-05-2005 15:32:36
LastSync : Hits:51
UseCount : 0
Hits : 51

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : wigmanj@casalemedia[2].txt
Category : Data Miner
Comment : Hits:15
Value : Cookie:[email protected]/
Expires : 25-04-2006 04:33:04
LastSync : Hits:15
UseCount : 0
Hits : 15

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 29-04-2015 01:00:00
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : wigmanj@bluestreak[2].txt
Category : Data Miner
Comment : Hits:15
Value : Cookie:[email protected]/
Expires : 02-05-2015 11:48:40
LastSync : Hits:15
UseCount : 0
Hits : 15

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 12
Objects found so far: 12



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ithelpdesk@casalemedia[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\ithelpdesk\Cookies\ithelpdesk@casalemedia[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ithelpdesk@doubleclick[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\ithelpdesk\Cookies\ithelpdesk@doubleclick[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ithelpdesk@revenue[2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\ithelpdesk\Cookies\ithelpdesk@revenue[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : junkovah@2o7[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Junkovah\Cookies\junkovah@2o7[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : junkovah@casalemedia[2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Junkovah\Cookies\junkovah@casalemedia[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : junkovah@cgi-bin[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Junkovah\Cookies\junkovah@cgi-bin[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : junkovah@revenue[2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Junkovah\Cookies\junkovah@revenue[2].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 19




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

16:40:52 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:07:19.123
Objects scanned:81137
Objects identified:19
Objects ignored:0
New critical objects:19
  • 0

#5
Rawe
Posted 04 May 2005 - 09:46 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please perform webupdate- feature and post a fresh log.
If your Webupdate doesn't find any new updates, you need to download this zip file from here; http://download.lava...public/defs.zip

Post back.

- Rawe :tazz:
  • 0

#6
Wigster78
Posted 25 May 2005 - 07:48 AM

Wigster78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi

new logfile

Ad-Aware SE Build 1.05
Logfile Created on:25 May 2005 13:53:35
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R47 24.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ebates MoneyMaker(TAC index:4):14 total references
Tracking Cookie(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


25-05-2005 13:53:35 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 144
ThreadCreationTime : 25-05-2005 12:50:34
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 168
ThreadCreationTime : 25-05-2005 12:50:52
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 164
ThreadCreationTime : 25-05-2005 12:50:55
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 216
ThreadCreationTime : 25-05-2005 12:50:56
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 228
ThreadCreationTime : 25-05-2005 12:50:56
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 400
ThreadCreationTime : 25-05-2005 12:51:00
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 428
ThreadCreationTime : 25-05-2005 12:51:01
BasePriority : Normal
FileVersion : 2.2.1.004
ProductVersion : 2.2.1.004
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 456
ThreadCreationTime : 25-05-2005 12:51:02
BasePriority : Normal
FileVersion : 2.2.1.004
ProductVersion : 2.2.1.004
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:9 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 552
ThreadCreationTime : 25-05-2005 12:51:03
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:10 [trcboot.exe]
FilePath : C:\WINNT\System32\drivers\
ProcessID : 580
ThreadCreationTime : 25-05-2005 12:51:03
BasePriority : Normal


#:11 [asfagent.exe]
FilePath : C:\Program Files\Intel\ASF Agent\
ProcessID : 628
ThreadCreationTime : 25-05-2005 12:51:10
BasePriority : Normal
FileVersion : 3.0
ProductVersion : 3.0
ProductName : Intel® PRO Alerting Suite ASF 1.0 Compatible
CompanyName : Intel Corporation
FileDescription : ASF Agent COM Service
InternalName : ASFAgent
LegalCopyright : Copyright © 2000-2002 Intel Corporation
OriginalFilename : ASFAgent.EXE

#:12 [defwatch.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 660
ThreadCreationTime : 25-05-2005 12:51:11
BasePriority : Normal
FileVersion : 9.0.2.1000
ProductVersion : 9.0.2.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright 1998 - 2004 Symantec Corporation. All rights reserved.
OriginalFilename : DefWatch.exe

#:13 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 676
ThreadCreationTime : 25-05-2005 12:51:11
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:14 [ldlcserv.exe]
FilePath : C:\WINNT\System32\drivers\
ProcessID : 700
ThreadCreationTime : 25-05-2005 12:51:11
BasePriority : Normal


#:15 [nmssvc.exe]
FilePath : C:\WINNT\System32\
ProcessID : 728
ThreadCreationTime : 25-05-2005 12:51:12
BasePriority : Normal
FileVersion : 2.1.8.0
ProductVersion : 2.1.8.0
ProductName : NMS
CompanyName : Intel Corporation
FileDescription : NMS Module
InternalName : NMS Module
LegalCopyright : Copyright © 2000-2002 Intel Corp. All Rights Reserved

#:16 [rtvscan.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 800
ThreadCreationTime : 25-05-2005 12:51:15
BasePriority : Normal
FileVersion : 7.60.00.926
ProductVersion : 7.60.00.926
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus
LegalCopyright : Copyright © Symantec Corporation 1991-2000

#:17 [radexecd.exe]
FilePath : C:\Program Files\Novadigm\
ProcessID : 872
ThreadCreationTime : 25-05-2005 12:51:18
BasePriority : Normal
FileVersion : 3,1,0,0
ProductVersion : 3.1.0
ProductName : Radia®
CompanyName : Novadigm
FileDescription : radexecd
InternalName : radexecd
LegalCopyright : © Novadigm, Inc. 1993 - 2002 All rights reserved.
OriginalFilename : radexecd.exe
Comments : Radia® Notify Daemon(Windows NT)

#:18 [radsched.exe]
FilePath : C:\Program Files\Novadigm\
ProcessID : 896
ThreadCreationTime : 25-05-2005 12:51:19
BasePriority : Normal
FileVersion : 3,1,0,0
ProductVersion : 3.1.0
ProductName : Radia®
CompanyName : Novadigm
FileDescription : radsched
InternalName : radsched
LegalCopyright : © Novadigm, Inc. 1993 - 2002 All rights reserved.
OriginalFilename : radsched.exe
Comments : Radia® Scheduler Daemon(Windows NT)

#:19 [radstgms.exe]
FilePath : C:\Program Files\Novadigm\
ProcessID : 908
ThreadCreationTime : 25-05-2005 12:51:20
BasePriority : Normal
FileVersion : 3,1,1,0
ProductVersion : 3.1.1
ProductName : Radia®
CompanyName : Novadigm
FileDescription : radstgms
InternalName : radstgms
LegalCopyright : © Novadigm, Inc. 1993 - 2003 All rights reserved.
OriginalFilename : radstgms.exe
Comments : Radia® MSI Redirector for Windows NT, Windows 2000 & Windows XP

#:20 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 924
ThreadCreationTime : 25-05-2005 12:51:21
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:21 [savroam.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 936
ThreadCreationTime : 25-05-2005 12:51:21
BasePriority : Normal
FileVersion : 9.0.2.1000
ProductVersion : 9.0.2.1000
ProductName : Symantec SAVRoam
CompanyName : symantec
FileDescription : SAVRoam
InternalName : SAVRoam
LegalCopyright : Copyright 2002 - 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SAVRoam.exe

#:22 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 952
ThreadCreationTime : 25-05-2005 12:51:22
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:23 [rtvscan.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 996
ThreadCreationTime : 25-05-2005 12:51:23
BasePriority : Normal
FileVersion : 9.0.2.1000
ProductVersion : 9.0.2.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:24 [mspmspsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1052
ThreadCreationTime : 25-05-2005 12:51:25
BasePriority : Normal
FileVersion : 7.10.00.3059
ProductVersion : 7.10.00.3059
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:25 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1064
ThreadCreationTime : 25-05-2005 12:51:25
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:26 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 304
ThreadCreationTime : 25-05-2005 12:51:30
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:27 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1656
ThreadCreationTime : 25-05-2005 12:51:52
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:28 [hkcmd.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1588
ThreadCreationTime : 25-05-2005 12:51:57
BasePriority : Normal
FileVersion : 3,0,0,1715
ProductVersion : 7,0,0,1715
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : HKCMD.EXE

#:29 [point32.exe]
FilePath : C:\Program Files\Microsoft Hardware\Mouse\
ProcessID : 1648
ThreadCreationTime : 25-05-2005 12:51:58
BasePriority : Normal


#:30 [vptray.exe]
FilePath : C:\PROGRA~1\SYMANT~1\
ProcessID : 1828
ThreadCreationTime : 25-05-2005 12:51:59
BasePriority : Normal
FileVersion : 9.0.2.1000
ProductVersion : 9.0.2.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:31 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1848
ThreadCreationTime : 25-05-2005 12:51:59
BasePriority : Normal
FileVersion : 2.2.1.004
ProductVersion : 2.2.1.004
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:32 [ctfmon.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1956
ThreadCreationTime : 25-05-2005 12:52:01
BasePriority : Normal
FileVersion : 1.00.2409.7 built by: Lab06_N
ProductVersion : 1.00.2409.7
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Cicero Loader
InternalName : CICLOAD
LegalCopyright : Copyright © Microsoft Corporation. 1981-2001
OriginalFilename : CICLOAD.EXE

#:33 [faxctrl.exe]
FilePath : C:\Program Files\RightFAX\
ProcessID : 1968
ThreadCreationTime : 25-05-2005 12:52:05
BasePriority : Normal
FileVersion : 7, 2, 0, 101
ProductVersion : 7, 2, 0, 101
ProductName : RightFAX, Inc.
CompanyName : RightFAX, Inc.
FileDescription : RightFAX 32-bit Windows Tray-Fax
InternalName : FAXCTRL
LegalCopyright : Copyright © 1995-1999, RightFAX, Inc.

#:34 [pktray.exe]
FilePath : C:\Program Files\PKWARE\PKZIPM\7.10.0009\
ProcessID : 1564
ThreadCreationTime : 25-05-2005 12:52:09
BasePriority : Normal
FileVersion : 1.00.0062.0
ProductVersion : 7.10.0009
ProductName : PKZIP for Windows
CompanyName : PKWARE, Inc.
FileDescription : E-Mail Attchment Compression Tray Module
InternalName : PKTRAY
LegalCopyright : Copyright © 2001-2003 PKWARE, Inc.
LegalTrademarks : PKWARE, PKZIP, PKUNZIP, and PKSFX are registered trademarks of PKWARE, Inc.
OriginalFilename : PKTRAY.EXE

#:35 [msiexec.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1536
ThreadCreationTime : 25-05-2005 12:52:29
BasePriority : Normal


#:36 [outlook.exe]
FilePath : C:\PROGRA~1\MICROS~3\OFFICE11\
ProcessID : 1816
ThreadCreationTime : 25-05-2005 12:53:01
BasePriority : Normal


#:37 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 1924
ThreadCreationTime : 25-05-2005 12:53:02
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:38 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1748
ThreadCreationTime : 25-05-2005 12:53:17
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : S-1-5-21-3447799233-88195640-3190524854-15267\software\lq
Value : AC

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : wigmanj@revenue[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 10-06-2022 06:05:42
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 2



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 2




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ebates MoneyMaker Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AT

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AC

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TM

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : U

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AD

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : I

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AM

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TR

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : leck

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : country

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : city

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : state

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 15

14:00:07 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:32.78
Objects scanned:78903
Objects identified:15
Objects ignored:0
New critical objects:15
  • 0

#7
Guest_numbnuts_*
Posted 25 May 2005 - 08:45 AM

Guest_numbnuts_*
  • Guest
Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.
  • 0

#8
Wigster78
Posted 01 June 2005 - 04:48 AM

Wigster78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:44:11, on 01/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\drivers\ldlcserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\PGPserv.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\RightFAX\FaxCtrl.exe
C:\Program Files\PKWARE\PKZIPM\7.10.0009\PKTray.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\FileNET\IDM\idmview.exe
C:\Documents and Settings\wigmanj\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gecfhl.home.ge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gecfhl.home.ge.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE CF HL igroup
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http-proxy.igrp.net:8080;https=http-proxy.igrp.net:8080;ftp=http-proxy.igrp.net:8080;gopher=localhost:1;socks=http-proxy.igrp.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = igroupweb.gcf.capital.ge.com;www.lrdirect.co.uk;*.igrp.net;*.ge.com;<local>
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINNT\system32\uk_nm.exe -N
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitesxo32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\7.10.0009\PKTray.exe
O4 - Global Startup: f12_fix.lnk = D:\f12\f12_fix.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe
O4 - Global Startup: scaling.lnk = C:\helpdesk\scale.bat
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://gecfhl.home.ge.com
O16 - DPF: {014C9787-BAA9-11D6-884F-00B0D048D6B7} (WorkplaceControl_1.DragDropCtrl) - http://3.193.96.55/d...ceControl_1.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/d...onale_ver11.CAB
O16 - DPF: {F6D2CA20-9CDE-42D9-B29E-B37E0088BB60} (DLITools.UploaderIntl) - http://workplace.con...ploaderIntl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hl.consfin.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hl.consfin.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hl.consfin.ge.com,igrp.net,midland-general.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hl.consfin.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hl.consfin.ge.com,igrp.net,midland-general.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hl.consfin.ge.com,igrp.net,midland-general.co.uk
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINNT\system32\PGPserv.exe
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINNT\System32\Vmover.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)
  • 0

#9
Metallica
Posted 14 June 2005 - 04:21 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
copy the part in bold below into notepad and save it as noASD.reg
Doubleclick the file and confirm you want to merge it with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableAutodial" = "0"

[-HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN]

Beware that the EnableAutodial might have had the value 1 before the infection and it may need to be changed back for the correct connection in IE under Tools > Internet Options > on the Connections tab

Download LQ fix from here: http://users.pandora...atchy/LQfix.zip
Run HijackThis and put check marks next to the following entries:

O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINNT\system32\uk_nm.exe -N
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitesxo32.exe

O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/d...onale_ver11.CAB

Close all Open Windows and click "fix checked"
Boot into Safe Mode by rebooting your computer and tapping f8 during the boot process. Select Safe Mode when it prompts you.
Unzip the file, and run LQFix.bat
Next, Open up My Computer and delete the following files:

C:\WINNT\system32\uk_nm.exe
C:\winnt\system32\elitesxo32.exe

Reboot and post a fresh HijackThis log

Regards,
  • 0

#10
Wigster78
Posted 14 June 2005 - 05:03 AM

Wigster78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
new log
Logfile of HijackThis v1.99.1
Scan saved at 12:00:28, on 14/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\drivers\ldlcserv.exe
C:\WINNT\system32\PGPserv.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\Documents and Settings\wigmanj\Desktop\HijackThis.exe
C:\Program Files\RightFAX\FaxCtrl.exe
C:\Program Files\PKWARE\PKZIPM\7.10.0009\PKTray.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gecfhl.home.ge.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE CF HL igroup
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http-proxy.igrp.net:8080;https=http-proxy.igrp.net:8080;ftp=http-proxy.igrp.net:8080;gopher=localhost:1;socks=http-proxy.igrp.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = igroupweb.gcf.capital.ge.com;www.lrdirect.co.uk;*.igrp.net;*.ge.com;<local>
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINNT\system32\temp532.exe -N
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitesxo32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\7.10.0009\PKTray.exe
O4 - Global Startup: f12_fix.lnk = D:\f12\f12_fix.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe
O4 - Global Startup: scaling.lnk = C:\helpdesk\scale.bat
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://gecfhl.home.ge.com
O16 - DPF: {014C9787-BAA9-11D6-884F-00B0D048D6B7} (WorkplaceControl_1.DragDropCtrl) - http://3.193.96.55/d...ceControl_1.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O16 - DPF: {F6D2CA20-9CDE-42D9-B29E-B37E0088BB60} (DLITools.UploaderIntl) - http://workplace.con...ploaderIntl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hl.consfin.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hl.consfin.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hl.consfin.ge.com,igrp.net,midland-general.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hl.consfin.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hl.consfin.ge.com,igrp.net,midland-general.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hl.consfin.ge.com,igrp.net,midland-general.co.uk
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\wigmanj\Desktop\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINNT\system32\PGPserv.exe
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINNT\System32\Vmover.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)
  • 0

Advertisements

#11
Metallica
Posted 14 June 2005 - 05:12 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK cleaning out the remains.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/

O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINNT\system32\temp532.exe -N

O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitesxo32.exe

Then reboot and let me know if they stayed away this time.

Regards,
  • 0

#12
Wigster78
Posted 14 June 2005 - 05:49 AM

Wigster78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok.
When I open internet explorer it no longer has Derbiz set as my home page. However, the shortcut is still on my desktop. Can I just delete this to the recycle bin.
I have not yet been hit with any pop ups either. Is my log file clean?
Logfile of HijackThis v1.99.1
Scan saved at 12:47:47, on 14/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\drivers\ldlcserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\PGPserv.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\Program Files\RightFAX\FaxCtrl.exe
C:\Program Files\PKWARE\PKZIPM\7.10.0009\PKTray.exe
C:\WINNT\system32\msiexec.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\wigmanj\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gecfhl.home.ge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gecfhl.home.ge.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE CF HL igroup
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http-proxy.igrp.net:8080;https=http-proxy.igrp.net:8080;ftp=http-proxy.igrp.net:8080;gopher=localhost:1;socks=http-proxy.igrp.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = igroupweb.gcf.capital.ge.com;www.lrdirect.co.uk;*.igrp.net;*.ge.com;<local>
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitesxo32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\7.10.0009\PKTray.exe
O4 - Global Startup: f12_fix.lnk = D:\f12\f12_fix.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe
O4 - Global Startup: scaling.lnk = C:\helpdesk\scale.bat
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://gecfhl.home.ge.com
O16 - DPF: {014C9787-BAA9-11D6-884F-00B0D048D6B7} (WorkplaceControl_1.DragDropCtrl) - http://3.193.96.55/d...ceControl_1.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt03.com/d...onale_ver11.CAB
O16 - DPF: {F6D2CA20-9CDE-42D9-B29E-B37E0088BB60} (DLITools.UploaderIntl) - http://workplace.con...ploaderIntl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hl.consfin.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hl.consfin.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hl.consfin.ge.com,igrp.net,midland-general.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hl.consfin.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hl.consfin.ge.com,igrp.net,midland-general.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hl.consfin.ge.com,igrp.net,midland-general.co.uk
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\wigmanj\Desktop\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINNT\system32\PGPserv.exe
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINNT\System32\Vmover.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)
  • 0

#13
Metallica
Posted 14 June 2005 - 06:11 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Almost there.

You can delete the shortcut on your desktop. That one should give you no problems anymore.
  • Download the Registry Search Tool.
  • Unzip the contents of RegSrch.zip to a convenient location.
  • Double-click on RegSrch.vbs.
  • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
  • In the "Enter search string (case insensitive) and click OK..." box paste this string:
    • elitesxo32
  • Click "OK" to search the registry for that string.
  • Wait for a few minutes while it completes the search.
  • Click "OK" to open the results in WordPad.
  • Copy and paste the entire results into your next post.
Regards,
  • 0

#14
Wigster78
Posted 14 June 2005 - 06:17 AM

Wigster78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks. Since my last post I have had some pop-ups return "party poker". Will what we are doing now resolve this?

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "elitesxo32" 14/06/2005 13:14:47

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"checkrun"="C:\\winnt\\system32\\elitesxo32.exe"

[HKEY_USERS\S-1-5-21-3447799233-88195640-3190524854-15267\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
"001"="elitesxo32.exe"
  • 0

#15
Metallica
Posted 14 June 2005 - 06:30 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I'm trying to figure out why it won't go.

The LQfix should have taken care of it.

Copy the part in bold below into notepad and save it as Eliterem.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"checkrun"=-

[-HKEY_CURRENT_USER\Software\LQ]

[-HKEY_LOCAL_MACHINE\SOFTWARE\ohbbackup]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Elitum]

Reboot into safe mode and doubleclick on Eliterem.reg
Confirm you want to merge it with the registry.

Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folders.


Reboot back to normal and post a new log.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP