Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keystroke Logger May Be Present - Stealing Passwords?


  • Please log in to reply
10 replies to this topic

#1 parker06

parker06

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 18 December 2005 - 02:33 PM

First Post - bear with me. Problem is: Someone may have put something on PC to be able to see account numbers and passwords - not sure. Here is ORIGINAL Log, followed by a Post-Scan/Fix Log. As important as finding out if Post-fix log is clean is whether your expertise thinks/can confirm any of the original log may have been/is any kind of keystroke logger or other malware that could transmit outbound.

Any and all help will be appreciated! Thank you. NOTE 2 Separate Logfiles;


ORIGINAL Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 1:17:48 PM, on 12/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wdskctl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.cnn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: load=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SNHELPER - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [lgnuzcz] C:\WINDOWS\lgnuzcz.exe
O4 - HKLM\..\Run: [ezyr] C:\WINDOWS\ezyr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O21 - SSODL: Advanced Features - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common files\WinTools\WToolsS.exe (file missing)


LATEST LOGFILE:
Logfile of HijackThis v1.99.1
Scan saved at 3:03:29 PM, on 12/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common files\WinTools\WToolsS.exe (file missing)

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 19 December 2005 - 11:03 PM

No way that latest log is complete

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
=============
You have no active AntiVirus!

Get the free AVG 7 install it, check for updates and run a full scan

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 parker06

parker06
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 20 December 2005 - 10:02 PM

Thank you for all of your help. As requested, here are the two logs. Wondering if any/some could be any kind of logger?

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:33:26 PM, 12/20/2005
+ Report-Checksum: F8599734

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0F2A4ADC-DABF-4980-8DB4-19F67D7B1F95} -> Spyware.ClearSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Mserv -> Spyware.Daemonize : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\WinTools -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\WinTools\kydmzylki -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\WinTools\nlibjhin -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\WinTools\nlibx4m -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\ControlSet002\Services\WinToolsSvc -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\ControlSet002\Services\WinToolsSvc\Security -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc\Security -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\WinToolsSvc\Enum -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-2000478354-436374069-1957994488-1006\Software\dsktb -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-2000478354-436374069-1957994488-1006\Software\dsktb\DesktopToolbar -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-2000478354-436374069-1957994488-1006\Software\WinTools -> Spyware.WebSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\qggktqv0.exe -> Trojan.Small.bm : Cleaned with backup
C:\WINDOWS\SYSTEM32\surte.exe -> Dropper.Small.cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\q8k0fsv0.exe -> Dropper.Small.cu : Cleaned with backup
C:\WINDOWS\SYSTEM32\mskplb.dll -> Spyware.Ipend : Cleaned with backup
C:\WINDOWS\SYSTEM32\msiaih.dll -> Spyware.Ipend : Cleaned with backup
C:\WINDOWS\SYSTEM32\mscjjn.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\SYSTEM32\msjpok.dll -> Dropper.Siboco.d : Cleaned with backup
C:\WINDOWS\SYSTEM32\mskceo.dll_tobedeleted -> Spyware.ClientMan : Cleaned with backup
C:\WINDOWS\SYSTEM32\ncmyb.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\SYSTEM32\msbb.exe_tobedeleted -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\SYSTEM32\telnet.exe.tmp -> Downloader.Istbar.ep : Cleaned with backup
C:\WINDOWS\MSXMIDI.EXE -> Dropper.Small.cw : Cleaned with backup
C:\WINDOWS\infamous.exe -> Logger.Briss.h : Cleaned with backup
C:\WINDOWS\UnstSA2.exe -> Dropper.Delf.z : Cleaned with backup
C:\WINDOWS\preInsTT.exe -> Spyware.BiSpy : Cleaned with backup
C:\WINDOWS\wdskctl.exe -> Spyware.ShopNav : Cleaned with backup
C:\WINDOWS\2_0_1browserhelper2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Internet Explorer\bdcygehj.exe -> Downloader.WinShow.z : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@x10[2].txt.bak -> Spyware.Cookie.X10 : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@trafficmp[2].txt.bak -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@statse.webtrendslive[1].txt.bak -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Program Files\SpyHunter\Backup\anyuser@targetnet[1].txt.bak -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@servedby.advertising[2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\anyuser@servedby.advertising[2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@mediaplex[2].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@mediaplex[3].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@mediaplex[1].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\SpyHunter\Backup\anyuser@counter.hitslink[2].txt.bak -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program Files\SpyHunter\Backup\anyuser@fastclick[2].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@doubleclick[4].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@doubleclick[2].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@doubleclick[1].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@centrport[1].txt.bak -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@bfast[2].txt.bak -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@atdmt[4].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@atdmt[1].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@atdmt[2].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\anyuser@atdmt[2].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\default@advertising[1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\anyuser@advertising[2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\ms6.tmp -> Downloader.Small.nj : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\msgked.exe -> Trojan.Small.i : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI5C29.tmp\twaintec.cab/twaintec.dll -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI5C29.tmp\twaintec.cab/preInsTT.exe -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI5C29.tmp\twaintec.dll -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI5C29.tmp\preInsTT.exe -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\~7791596089.tmp -> Downloader.Siboco : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI7057.tmp\twaintec.cab/twaintec.dll -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI7057.tmp\twaintec.cab/preInsTT.exe -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI7057.tmp\twaintec.dll -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI7057.tmp\preInsTT.exe -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\ms2.tmp -> Downloader.Small.wk : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\i3.tmp -> Downloader.Small.id : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\optimize.exe -> Downloader.Dyfuca.bq : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI480F.tmp\twaintec.cab/twaintec.dll -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI480F.tmp\twaintec.cab/preInsTT.exe -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI480F.tmp\twaintec.dll -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\THI480F.tmp\preInsTT.exe -> Spyware.BiSpy : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\Installer2.exe -> Dropper.Delf.dj : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\alchem.cab/alchem.exe -> Downloader.Alchemic : Cleaned with backup
C:\Documents and Settings\Comite's\Local Settings\Temp\alchem.exe -> Downloader.Alchemic : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@northwestairlines.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyamcpikowidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliekdpoepgudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@pro-market[2].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@bs.serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@centrport[3].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@casalemedia[3].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@a-1shz2prbmdj6wvny-1sez2pra2dj6wjkyqmc5mkpq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@thunderbolt.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@overture[3].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@www.burstbeacon[3].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@2o7[3].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@premiumnetworkrocks.valuead[1].txt -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@z1.adserver[3].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@edge.ru4[3].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@ads.pointroll[3].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Comite's\Cookies\comite's@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup


::Report End


HIJACKTHIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 10:56:25 PM, on 12/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 21 December 2005 - 10:22 AM

That is not the full log and you have not gotten AVG as requested
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 parker06

parker06
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 30 December 2005 - 05:13 PM

Thanks again for your help. I ran HijackThis v1.99.1 again, and received exactly same log. I did also get AVG as requested, but 'after' running last log, as that was the order in which I thought you were asking. Is there something else I should be doing in order to post a log that would look correct to you? I have re-run a number of times with same result. Not sure if we are making progress or not, but thank you for your time and patience.

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 30 December 2005 - 05:24 PM

In HiJack

Open misc tools

Click on ignore list - delete all entries in there



Open the log in notepad

EDIT - SELECT ALL
EDIT - COPY

Then come to this message, and in the quick reply box click in the white space and then EDIT - PASTE
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 parker06

parker06
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 30 December 2005 - 05:54 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:51:44 PM, on 12/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 30 December 2005 - 06:10 PM

Fix these with HJT – mark them, close IE, click fix checked

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find

.NET Framework Service

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.



START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 30 December 2005 - 06:11 PM

Uninstall HiJack and re-download it
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#10 parker06

parker06
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 30 December 2005 - 06:34 PM

OK. here goes - if looks clean, be interested if you think any of what we deleted may have been logger?

Logfile of HijackThis v1.99.1
Scan saved at 6:31:45 PM, on 12/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

#11 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 31 December 2005 - 10:24 AM

Well for what's there its clean

Get all of these and/or verify you have the current versions

SpywareBlaster 3.4 http://majorgeeks.com/download2859.html
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html
MS AntiSpy - http://www.microsoft.com/downloads/details...&displaylang=en (XP and W2K only)

DownLoad them (they are free), install them, check each for their
definition updates
and then run AdAware, MS AntiSpy (W2k/XP) and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize



Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users