1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

ad-watch log help plz

Discussion in 'Virus & Other Malware Removal' started by lee_1133, Oct 2, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. lee_1133

    lee_1133 Thread Starter

    Joined:
    Aug 24, 2002
    Messages:
    280
    can someone tell me what these are and if i should remove them and if so how? they keep returning each time i run ad-watch but i have blackICE and ad-aware running all the time

    Ad-watch Logfile, exported on 02/10/2003
    Total number of events:3
    ===============================================
    02/10/2003 21:39:41 - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:SOFTWARE\Classes\.exe
    Value:ZAMailSafeExt
    Data:
    New Data:zl9

    Possible browser hijack attempt (Blocked)

    ===============================================
    02/10/2003 21:39:41 - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:SOFTWARE\Classes\.lnk
    Value:ZAMailSafeExt
    Data:
    New Data:zlg

    Possible browser hijack attempt (Blocked)

    ===============================================
    02/10/2003 21:39:41 - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:SOFTWARE\Classes\.reg
    Value:ZAMailSafeExt
    Data:
    New Data:zlp

    Possible browser hijack attempt (Blocked)

    ===============================================
     
  2. dragoonsgl

    dragoonsgl

    Joined:
    Aug 25, 2003
    Messages:
    106
    Download and run Hijack This from here. To open it you will need WinZip or something equal to it. http://www.tomcoyote.org/hjt/.
    Once open hit the scan button. Upon the scan finishing the scan button will become a save log button. Hit the save log button and save the log somewhere. Once saved a notepad page will appear with the results of the scan, copy and paste them in a post here. If there is a problem someone will be more then happy to assist you :)

    ~Dragoon
     
  3. lee_1133

    lee_1133 Thread Starter

    Joined:
    Aug 24, 2002
    Messages:
    280
    did hijack this yesterday nowt wrong
     
  4. number

    number

    Joined:
    Oct 15, 2003
    Messages:
    1,052
    Hi,

    this is the result of the scan I did through HijackThis. Which files do I have to remove?Logfile of HijackThis v1.97.3
    Scan saved at 21.48.21, on 15/10/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\IRMON.EXE
    C:\WINDOWS\SYSTEM\HPZTSB03.EXE
    C:\PROGRAMMI\AVPERSONAL\AVGCTRL.EXE
    C:\PROGRAMMI\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAMMI\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAMMI\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAMMI\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsuxxxxx Internet Explorer
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?840828 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?840828 (obfuscated)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (disabled by BHODemon)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IrMon] IrMon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAMMI\LAVASOFT\AD-AWARE 6\Ad-watch.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Programmi\Zone Labs\ZoneAlarm\zonealarm.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37907.1443981482
    O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
  6. number

    number

    Joined:
    Oct 15, 2003
    Messages:
    1,052
    ok but which files do I have to remove from the above listed?
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run CWShredder like dvk01 suggested. Then post another Hijack This log and someone will look at what's left and tell you if there is anything left to get rid of.
     
  8. number

    number

    Joined:
    Oct 15, 2003
    Messages:
    1,052
    Ok, I did the scan with CWShredder and then I've done another scan with Hijack, the following is the log:
    Which files do I have to remove and why?
    thank you!

    Logfile of HijackThis v1.97.3
    Scan saved at 14.15.14, on 16/10/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\IRMON.EXE
    C:\WINDOWS\SYSTEM\HPZTSB03.EXE
    C:\PROGRAMMI\AVPERSONAL\AVGCTRL.EXE
    C:\PROGRAMMI\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
    C:\PROGRAMMI\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAMMI\PAINT SHOP PRO 6\PSP.EXE
    C:\DOCUMENTI\CWSHREDDER.EXE
    C:\DOCUMENTI\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsuxxxxx Internet Explorer
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (disabled by BHODemon)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IrMon] IrMon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAMMI\LAVASOFT\AD-AWARE 6\Ad-watch.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Programmi\Zone Labs\ZoneAlarm\zonealarm.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37907.1443981482
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    number

    your log looks clean

    are you still getting popups or redirected when trying to search or a hijacked home page

    if not then everything is Ok, if you still get the above symptoms post back and tell us what symptoms and if redirected or hijacked where to
     
  10. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
  11. number

    number

    Joined:
    Oct 15, 2003
    Messages:
    1,052
    However, even if my log is clean, the notes from ad-aware keep returning each time i run ad-watch, what exactly do I have to do?
     
  12. number

    number

    Joined:
    Oct 15, 2003
    Messages:
    1,052
    in particular, this is the log that I receive everytime I run ad-watch:

    Ad-watch Logfile, exported on 17/10/03
    Total number of events:8
    ===============================================
    17/10/03 11.25.45 - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:SOFTWARE\Classes\.exe
    Value:ZAMailSafeExt
    Data:
    New Data:zl9

    Possible browser hijack attempt (Blocked)

    ===============================================
    17/10/03 11.25.45 - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:SOFTWARE\Classes\.lnk
    Value:ZAMailSafeExt
    Data:
    New Data:zlg

    Possible browser hijack attempt (Blocked)

    ===============================================
    17/10/03 11.25.45 - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:SOFTWARE\Classes\.reg
    Value:ZAMailSafeExt
    Data:
    New Data:zlp

    Possible browser hijack attempt (Blocked)

    ===============================================
    17/10/03 11.25.47 - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:SOFTWARE\Classes\.exe
    Value:ZAMailSafeExt
    Data:
    New Data:zl9

    Possible browser hijack attempt (Blocked)

    ===============================================
    17/10/03 11.25.47 - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:SOFTWARE\Classes\.exe
    Value:ZAMailSafeExt
    Data:
    New Data:zl9

    Possible browser hijack attempt (Blocked)

    ===============================================
    17/10/03 11.25.47 - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:SOFTWARE\Classes\.lnk
    Value:ZAMailSafeExt
    Data:
    New Data:zlg

    Possible browser hijack attempt (Blocked)

    ===============================================
    17/10/03 11.25.47 - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:SOFTWARE\Classes\.reg
    Value:ZAMailSafeExt
    Data:
    New Data:zlp

    Possible browser hijack attempt (Blocked)

    ===============================================
    17/10/03 12.00.12 - Registry modification detected
    Root:HKEY_CURRENT_USER
    Key:Software\Microsoft\Windows\CurrentVersion\RunOnce
    Value:ICQ
    Data:
    New Data:C:\PROGRAMMI\ICQ\ICQ.EXE -trayboot

    Attempt to alter the autostart section (Blocked)

    ===============================================
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    ignore them

    the zamailsafe is zone alarm checking your email for suspects

    and the icq always wants to autostart to be avaulable when you first boot up.

    these shouldn't be found by adwatch as they are necessary processes, but adawatch wrongly sees them as possible baddies

    I would suggest you post about this in http://www.lavasoftsupport.com/index.php?act=idx

    where the adaware & adwatch developers monitor those forums and can advise better on problems their software experiences and tell you how to overcome it easily
     
  14. IAMSKINZ

    IAMSKINZ

    Joined:
    May 2, 2003
    Messages:
    65
    number.....

    Ad-watch is reporting this because it has not been allowed yet....
    It will warn you about all reg changes if set to do so.

    If 'Automatic' is selected at the bottom of Ad-watch.
    ( Note: There is also an option to "Start Ad-watch in Auto-Block mode", it will be located here: Open Ad-aware > Configurations > Automation > "Start Ad-watch in auto-blocking mode")
    Any and all suspicious activity will instantly and automatically be blocked.
    You will not recieve an alert about the activity, you wont be given the choice to 'Allow' or 'Block' the process or registry change.
    If you DONT have 'Automatic' selected;
    If a suspicious process or any registry changes are detected you will recieve an alert and be given the option of allowing or blocking the process or change.
    Uncheck the option, Click Proceed, close Ad-aware 6 and minimize Ad-watch.
    When you get this warning again, allow it.....
    If it re-occurs, come to the Lavasoft Support Forums as suggested above...

    Have fun........ :D
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169092

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice