|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
Hijack log, please help.
Since yesterday, I notice that any of my browsers(firefox and IE) hungs whenever i load a page. To fully load i have to click refresh button for couple of times. The spybot search and destroy also find 7X problems. Here is my log from hijack this:
Logfile of HijackThis v1.99.1 Scan saved at 12:45:36 AM, on 2/16/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\BRMFRSMG.EXE C:\WINDOWS\services.exe C:\WINDOWS\System32\mqsvc.exe C:\WINDOWS\System32\mqtgsvc.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\windows\winsysban8.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe E:\Spybot - Search & Destroy\SpybotSD.exe E:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\System32\nsa20.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban8.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: SmartUI.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/...s/MsnPUpld.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B01BE24B-2138-43E3-8284-DA7F2F622148}: NameServer = 205.171.3.65,205.171.2.65 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NICSer_WPC54 - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe Thank you. |
#2
|
|||
|
|||
Hi,
1- Start->run->type: services.msc Double click : Microsoft Windows Update Service Stop and disable it. 2- Run HijackThis->config->misc tools->delete an NT service In the box, copy/paste : Windows Update Service ->ok and follow the prompts. 3- Download the trial version of Ewido Security Suite from HERE. Install it (When installing, under "Additional Options" uncheck : -Install background guard and -Install scan via context menu), and update the definitions to the newest files. Do NOT run a scan yet. Reboot your computer in SafeMode . 1- Run HijackThis and tick : O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\System32\nsa20.dll O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban8.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Click "Fix checked". 2- Make sure that you can view hidden files and folders, as explained HERE uncheck "Hide Extensions for Known File Types". Delete : C:\\gimmygames.exe C:\windows\winsysban8.exe C:\WINDOWS\services.exe <- in THIS folder, not in system32 ! Empty the recycle bin. 3- Run Ewido: Click on scanner Click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop Close Ewido Reboot in normal mode and here: - Post a new HijackThis log. - Copy/paste the Ewido report, please. |
#3
|
|||
|
|||
Thank's Acrobaze for those excelent directions. I did all as you said, except, I was not able to find C:\WINDOWS\services.exe in the safe mode.
Here is my Hijack log and E report: Hicjack log Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\Brmfrmps.exe E:\ewido anti-malware\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\mqsvc.exe C:\WINDOWS\System32\BRMFRSMG.EXE C:\WINDOWS\System32\mqtgsvc.exe E:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmoyyj.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: SmartUI.lnk = ? O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/...s/MsnPUpld.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B01BE24B-2138-43E3-8284-DA7F2F622148}: NameServer = 205.171.3.65,205.171.2.65 O17 - HKLM\System\CCS\Services\Tcpip\..\{FD12FEA5-3BC5-431A-83F7-16F3D7924357}: NameServer = 205.171.3.65,205.171.2.65 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: ewido security suite control - ewido networks - E:\ewido anti-malware\ewidoctrl.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NICSer_WPC54 - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe |
#4
|
|||
|
|||
@@@@@@@@@@@@@@@@@
E-report: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 1:14:06 AM, 2/21/2006 + Report-Checksum: BE8D778A + Scan result: C:\WINDOWS\system32\irismon.dll -> Adware.SafeSurfing : Cleaned with backup C:\WINDOWS\system32\irssyncd.exe -> Adware.SafeSurfing : Cleaned with backup C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\YA5724CG\fran-forever[1].exe -> Adware.EZula : Cleaned with backup C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\MBW5GXFV\drsmartload[1].exe -> Downloader.VB.wr : Cleaned with backup C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\WCPFCVZM\d72[1].exe -> Downloader.Adload.q : Cleaned with backup C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\WCPFCVZM\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\WCPFCVZM\gimmygames[1].exe -> Downloader.VB.wd : Cleaned with backup C:\Documents and Settings\margotsk\Local Settings\Temp\mndcntas.tmp -> Adware.SafeSurfing : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@serving-sys[4].txt -> TrackingCookie.Serving-sys : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@trafficmp[3].txt -> TrackingCookie.Trafficmp : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@edge.ru4[4].txt -> TrackingCookie.Ru4 : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@spylog[2].txt -> TrackingCookie.Spylog : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@servedby.advert ising[2].txt -> TrackingCookie.Advertising : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@adopt.specificc lick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ehg-theviptour.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ad.adocean[1].txt -> TrackingCookie.Adocean : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@adopt.specificc lick[3].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ehg-vonage.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@spylog[1].txt -> TrackingCookie.Spylog : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@z1.adserver[3].txt -> TrackingCookie.Adserver : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@stats1.reliable stats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@fastclick[3].txt -> TrackingCookie.Fastclick : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@2o7[3].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@overture[3].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@valueclick[3].txt -> TrackingCookie.Valueclick : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@com[2].txt -> TrackingCookie.Com : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@servedby.advert ising[3].txt -> TrackingCookie.Advertising : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@statcounter[3].txt -> TrackingCookie.Statcounter : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@cc.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ehg-sonymusic.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@centrport[3].txt -> TrackingCookie.Centrport : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ads.pointroll[3].txt -> TrackingCookie.Pointroll : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@serving-sys[3].txt -> TrackingCookie.Serving-sys : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@statse.webtrend slive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@sec1.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@citi.bridgetrac k[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@microsofteup.11 2.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@stat.onestat[1].txt -> TrackingCookie.Onestat : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ehg-randomhouse.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ehg-idg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ads.addynamix[3].txt -> TrackingCookie.Addynamix : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@edge.ru4[3].txt -> TrackingCookie.Ru4 : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ehg-findlaw.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\margotsk\Cookies\margotsk@ehg-traderpublishing.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP301\A0072028.exe -> Downloader.Adload.q : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP301\A0072029.exe -> Downloader.VB.wr : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP301\A0072032.exe -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP301\A0072033.exe -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP301\A0072034.dll -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP301\A0072040.exe -> Downloader.Adload.q : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP301\A0072041.exe -> Downloader.VB.wr : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP302\A0072056.exe -> Downloader.Adload.q : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP302\A0073044.exe -> Downloader.Adload.q : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP302\A0073045.exe -> Downloader.VB.wr : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP302\A0073066.exe -> Downloader.Adload.q : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP304\A0073171.dll -> Adware.HotSearchBar : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP306\A0074206.exe -> Downloader.Adload.q : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP306\A0074209.exe -> Adware.EZula : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP306\A0074213.EXE -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP306\A0074215.exe -> Downloader.Adload.q : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP306\A0074216.exe -> Downloader.VB.wd : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP306\A0075210.exe -> Downloader.Adload.q : Cleaned with backup C:\System Volume Information\_restore{5DD052F9-9114-4085-BAD4-00A7BD049191}\RP306\A0075213.exe -> Downloader.Adload.q : Cleaned with backup ::Report End Thank You a lot... you guys are great! |
#5
|
|||
|
|||
Good cleaning. There is a new entry :
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe Make sure that you can view hidden files and folders, as explained HERE uncheck "Hide Extensions for Known File Types". Go to this SITE. Upload : C:\WINDOWS\System32\irssyncd.exe Click "Submit" and copy/paste the results, please. |
#6
|
|||
|
|||
Hi,
Thanks for replying and appologies for not posting back right away. The file C:\WINDOWS\System32\irssyncd.exe does not exist at this time anymore. Perhaps, one of the anti-virus programs deleted. I started a new thread already. http://www.cybertechhelp.com/forums/...d.php?t=111321 Thanks for your help. Margots |
#7
|
|||
|
|||
Ok. then run HijackThis and check :
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe Click "Fix checked", reboot and post a new log, please. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
hijack this log | partsman845 | Malware Removal | 9 | March 28th, 2006 09:14 AM |
hijack this log. Can someone take a look | fast_rn | Malware Removal | 1 | March 23rd, 2006 02:05 AM |
Possible Hijack? | sandeepk1999 | Malware Removal | 11 | November 16th, 2004 01:04 AM |
Possible Browser Hijack...Hijack Log Included | cubluejay23 | Malware Removal | 3 | July 30th, 2004 12:48 AM |
Hijack This Log Uncertain of exact Hijack | danton | Malware Removal | 3 | April 23rd, 2004 05:28 PM |
All times are GMT +1. The time now is 10:43 PM.