Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected At Timed Interval?


  • This topic is locked This topic is locked
6 replies to this topic

#1 iaxelr8

iaxelr8

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 24 November 2007 - 08:59 AM

Hello all...Very thankful to find this site, a wealth of info here. I must state, everyone here seems to be well versed, so bear with me, my knowledge is limited, so you may have to be patient with me. I was infected on 11/18 just simply (so it seemed) checking messages on "MySpace". I am using NAV 2006, which detected "adware.ezula" and then subsequently "trojan.vundo", both were apparently removed. Took me a couple of days to realize that at around 8:30pm, both will attempt to reload, the process of removal is apparently done again. However, I also noticed that when opening and surfing with IE, within several minutes, several redirects will take place...only using IE, should I be logged into my AOL account and surf through their version of the browser...no redirects. I downloaded SDFix from this site, along with the removal tool for both from Symantec. Here is the log from SDFix:

SDFix: Version 1.115

Run by Owner on Thu 11/22/2007 at 01:50 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\DOCUME~1\Owner\LOCALS~1\Temp\abc123.pid - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINNT\mrofinu72.exe - Deleted




Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 14:10:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINNT\\system32\\sessmgr.exe"="C:\\WINNT\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\America Online 8.0\\waol.exe"="C:\\Program Files\\America Online 8.0\\waol.exe:*:Disabled:AOL"
"C:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"="C:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe:*:Enabled:NASCAR Racing 2003 Season"
"C:\\Program Files\\EA SPORTS\\NASCAR SimRacing\\NASCAR SimRacing.exe"="C:\\Program Files\\EA SPORTS\\NASCAR SimRacing\\NASCAR SimRacing.exe:*:Enabled:NASCAR SimRacing"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1117157208\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1117157208\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1117157208\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1117157208\\EE\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Disabled:Windows Media Player"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 8 Oct 2002 49,223 A..H. --- "C:\Program Files\America Online 8.0\aolphx.exe"
Tue 8 Oct 2002 36,939 A..H. --- "C:\Program Files\America Online 8.0\aoltray.exe"
Tue 8 Oct 2002 40,960 A..H. --- "C:\Program Files\America Online 8.0\RBM.exe"
Tue 8 Oct 2002 233,539 A..H. --- "C:\Program Files\America Online 8.0\waol.exe"
Fri 19 Nov 2004 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe"
Tue 14 Jun 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 8 Oct 2002 49,225 A..H. --- "C:\Program Files\America Online 8.0\COMIT\cswitch.exe"
Fri 4 Jul 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 4 Mar 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Tue 4 Mar 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Fri 4 Jul 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"

Finished!

Additionally, lurking through this site, I found the thread below. When checking that registry, there are at least 50 entries notated as "LEGACY". As stated, I am no expert and I remain unsure whether anything in the registry should be listed as "LEGACY", so I am fearful of deleting. In addition to that, I have found the following files in the root of WINNT: (all BIN files) b147.exe, b138.exe, b128.exe,b103.exe


At times though, the malware will also install itself under these keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root

as subkeys called LEGACY_svcname. These LEGACY_svcname entries should be deleted as well, but will usually require you to change the permissions on them in order to delete them. Simply change the security permissions on these keys to Everyone (Full) and then delete them.


Any help or pointing in the right direction would be appreciated...Thanking you in advance for any assistance anyone can provide.

BC AdBot (Login to Remove)

 


#2 iaxelr8

iaxelr8
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 25 November 2007 - 08:55 AM

Anyone have anything on this?...Did I present this correctly?

#3 iaxelr8

iaxelr8
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 26 November 2007 - 11:29 AM

Didn't get an answer on this, but continued to try to help myself with the wealth of info on this site. D'loaded ATF Cleaner and SuperAntiSpyware. At this point it seems my woes have been solved. As stated, it seemed like a timed interval to me, roughly around 8:30pm detection from NAV would occur. Fooling it by shutting down didn't help..haha, tried that and it detected shortly after. Anyway, hopefully this log/info helps someone with similar probs. Log is from SuperAntiSpyware, found 55 occurences. Only problem is a missing .dll upon startup, but everything appears to fire up normally. Log as follows:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/25/2007 at 06:00 PM

Application Version : 3.9.1008

Core Rules Database Version : 3349
Trace Rules Database Version: 1349

Scan type : Complete Scan
Total Scan Time : 02:43:04

Memory items scanned : 171
Memory threats detected : 1
Registry items scanned : 5583
Registry threats detected : 16
File items scanned : 88817
File threats detected : 38

Trojan.WinFixer
C:\WINNT\SYSTEM32\MLJJH.DLL
C:\WINNT\SYSTEM32\MLJJH.DLL
HKLM\Software\Classes\CLSID\{E5CC0A2F-D760-4F50-B0E7-60A3E606BCD4}
HKCR\CLSID\{E5CC0A2F-D760-4F50-B0E7-60A3E606BCD4}
HKCR\CLSID\{E5CC0A2F-D760-4F50-B0E7-60A3E606BCD4}\InprocServer32
HKCR\CLSID\{E5CC0A2F-D760-4F50-B0E7-60A3E606BCD4}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5CC0A2F-D760-4F50-B0E7-60A3E606BCD4}

Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{1283568f-3cb7-4c15-83a9-faa5bf5659b9}
HKCR\CLSID\{1283568F-3CB7-4C15-83A9-FAA5BF5659B9}
HKCR\CLSID\{1283568F-3CB7-4C15-83A9-FAA5BF5659B9}\InprocServer32
HKCR\CLSID\{1283568F-3CB7-4C15-83A9-FAA5BF5659B9}\InprocServer32#ThreadingModel
C:\WINNT\SYSTEM32\AMYVOLEM.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1283568f-3cb7-4c15-83a9-faa5bf5659b9}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1591\A0098536.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1594\A0098660.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1594\A0098679.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1595\A0098741.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1595\A0098760.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1596\A0098846.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1596\A0098875.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1596\A0098878.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1600\A0102543.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1600\A0102546.DLL
C:\WINNT\SYSTEM32\IVXFCUAO.DLL
C:\WINNT\SYSTEM32\NKNFRBFM.DLL

Trojan.Downloader-Gen/MobRules
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7db1b6a-1dd1-11b2-8d14-a8f8dd85d72d}
HKCR\CLSID\{F7DB1B6A-1DD1-11B2-8D14-A8F8DD85D72D}
HKCR\CLSID\{F7DB1B6A-1DD1-11B2-8D14-A8F8DD85D72D}\InprocServer32
HKCR\CLSID\{F7DB1B6A-1DD1-11B2-8D14-A8F8DD85D72D}\InprocServer32#ThreadingModel
HKCR\CLSID\{F7DB1B6A-1DD1-11B2-8D14-A8F8DD85D72D}\InprocServer32#t
C:\WINNT\ROPQBSBA.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\PCFOHKRK.DLL

Adware.AdSponsor/ISM
HKU\S-1-5-21-3476964552-3828445647-3153290160-1003\Software\antica

Rogue.WinPerformance
C:\Program Files\WinPerformance\uninstall.exe
C:\Program Files\WinPerformance

Trojan.Downloader-Gen/DDC
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\PGUAUGJV.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\VQPFBVGB.EXE

Trojan.Downloader-Gen/Suspicious
C:\PROGRAM FILES\WINBUDGET\BIN\CRAP.1193220537.OLD
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1545\A0096155.OLD

Unclassified.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1590\A0098432.DLL

Trojan.Downloader-Gen/QDRModule
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1590\A0098437.EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1591\A0098538.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1594\A0098661.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1594\A0098681.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1595\A0098742.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1595\A0098762.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1596\A0098848.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1596\A0098876.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1596\A0098880.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1600\A0102542.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1600\A0102544.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1600\A0102545.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1600\A0102547.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1600\A0102548.DLL

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1599\A0100439.DLL

#4 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:53 PM

Posted 26 November 2007 - 11:44 AM

You're doing good at helping yourself, however ... to make sure you're cleaned properly do this:

Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

Click 'Do a System Scan and Save log'. The HJT log will open in notepad. Don't try to fix anything yourself.

Copy and paste the contents of the HJT log into a NEW TOPIC in "HijackThis Logs and Malware Removal"
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Also include a link to this topic. Please be patient as our HJT team members work on serveral forums.

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#5 iaxelr8

iaxelr8
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 26 November 2007 - 01:20 PM

Log posted in the appropriate forum...Thanks for looking!

#6 iaxelr8

iaxelr8
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 29 November 2007 - 11:57 AM

OK, a little thickening of the plot. This could be due to my surfing habits OR something still remains behind?? After 3 days of surfing, (ran quick scan in SuperANTI Spyware each day), couple of adware cookies, not too concerning...ran a full scan yesterday and found this:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/28/2007 at 08:02 PM

Application Version : 3.9.1008

Core Rules Database Version : 3351
Trace Rules Database Version: 1350

Scan type : Complete Scan
Total Scan Time : 01:57:19

Memory items scanned : 461
Memory threats detected : 0
Registry items scanned : 5592
Registry threats detected : 0
File items scanned : 89012
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@html[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt

Adware.AdSponsor/ISM
C:\PROGRAM FILES\QDRPACK\QDRPACK9.EXE

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1602\A0102608.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1602\A0102609.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1602\A0102610.DLL

Trojan.Downloader-Gen/MobRules
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1602\A0102611.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1602\A0102612.DLL

Trojan.Downloader-Gen/Suspicious
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1602\A0102614.OLD

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1602\A0102616.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1602\A0103616.DLL

Shut down, fired up this morning, signed onto AOL, no surfing, ran a full again and got this...not as concerning:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/29/2007 at 09:35 AM

Application Version : 3.9.1008

Core Rules Database Version : 3352
Trace Rules Database Version: 1351

Scan type : Complete Scan
Total Scan Time : 02:04:37

Memory items scanned : 543
Memory threats detected : 0
Registry items scanned : 5592
Registry threats detected : 0
File items scanned : 89051
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@html[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt

Adware.AdSponsor/ISM
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1604\A0103696.EXE

Posting hijack log in my hijack log thread.

#7 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:06:53 PM

Posted 29 November 2007 - 12:55 PM

Now that you have a HJT log posted in the HijackThis Logs and Malware Removal forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

This topic will now be closed, since you have an open log posted.
If you have any questions, feel free to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users