ad-watch log help plz

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

lee_1133

Thread Starter
Joined
Aug 24, 2002
Messages
280
can someone tell me what these are and if i should remove them and if so how? they keep returning each time i run ad-watch but i have blackICE and ad-aware running all the time

Ad-watch Logfile, exported on 02/10/2003
Total number of events:3
===============================================
02/10/2003 21:39:41 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.exe
Value:ZAMailSafeExt
Data:
New Data:zl9

Possible browser hijack attempt (Blocked)

===============================================
02/10/2003 21:39:41 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.lnk
Value:ZAMailSafeExt
Data:
New Data:zlg

Possible browser hijack attempt (Blocked)

===============================================
02/10/2003 21:39:41 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.reg
Value:ZAMailSafeExt
Data:
New Data:zlp

Possible browser hijack attempt (Blocked)

===============================================
 
Joined
Aug 25, 2003
Messages
106
Download and run Hijack This from here. To open it you will need WinZip or something equal to it. http://www.tomcoyote.org/hjt/.
Once open hit the scan button. Upon the scan finishing the scan button will become a save log button. Hit the save log button and save the log somewhere. Once saved a notepad page will appear with the results of the scan, copy and paste them in a post here. If there is a problem someone will be more then happy to assist you :)

~Dragoon
 
Joined
Oct 15, 2003
Messages
1,057
Hi,

this is the result of the scan I did through HijackThis. Which files do I have to remove?Logfile of HijackThis v1.97.3
Scan saved at 21.48.21, on 15/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAMMI\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMMI\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAMMI\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAMMI\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMMI\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsuxxxxx Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?840828 (obfuscated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAMMI\LAVASOFT\AD-AWARE 6\Ad-watch.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Programmi\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37907.1443981482
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
 
Joined
Jul 26, 2002
Messages
46,331
Run CWShredder like dvk01 suggested. Then post another Hijack This log and someone will look at what's left and tell you if there is anything left to get rid of.
 
Joined
Oct 15, 2003
Messages
1,057
Ok, I did the scan with CWShredder and then I've done another scan with Hijack, the following is the log:
Which files do I have to remove and why?
thank you!

Logfile of HijackThis v1.97.3
Scan saved at 14.15.14, on 16/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAMMI\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMMI\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAMMI\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\PAINT SHOP PRO 6\PSP.EXE
C:\DOCUMENTI\CWSHREDDER.EXE
C:\DOCUMENTI\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsuxxxxx Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAMMI\LAVASOFT\AD-AWARE 6\Ad-watch.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Programmi\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37907.1443981482
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
number

your log looks clean

are you still getting popups or redirected when trying to search or a hijacked home page

if not then everything is Ok, if you still get the above symptoms post back and tell us what symptoms and if redirected or hijacked where to
 
Joined
Oct 15, 2003
Messages
1,057
However, even if my log is clean, the notes from ad-aware keep returning each time i run ad-watch, what exactly do I have to do?
 
Joined
Oct 15, 2003
Messages
1,057
in particular, this is the log that I receive everytime I run ad-watch:

Ad-watch Logfile, exported on 17/10/03
Total number of events:8
===============================================
17/10/03 11.25.45 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.exe
Value:ZAMailSafeExt
Data:
New Data:zl9

Possible browser hijack attempt (Blocked)

===============================================
17/10/03 11.25.45 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.lnk
Value:ZAMailSafeExt
Data:
New Data:zlg

Possible browser hijack attempt (Blocked)

===============================================
17/10/03 11.25.45 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.reg
Value:ZAMailSafeExt
Data:
New Data:zlp

Possible browser hijack attempt (Blocked)

===============================================
17/10/03 11.25.47 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.exe
Value:ZAMailSafeExt
Data:
New Data:zl9

Possible browser hijack attempt (Blocked)

===============================================
17/10/03 11.25.47 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.exe
Value:ZAMailSafeExt
Data:
New Data:zl9

Possible browser hijack attempt (Blocked)

===============================================
17/10/03 11.25.47 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.lnk
Value:ZAMailSafeExt
Data:
New Data:zlg

Possible browser hijack attempt (Blocked)

===============================================
17/10/03 11.25.47 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.reg
Value:ZAMailSafeExt
Data:
New Data:zlp

Possible browser hijack attempt (Blocked)

===============================================
17/10/03 12.00.12 - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\RunOnce
Value:ICQ
Data:
New Data:C:\PROGRAMMI\ICQ\ICQ.EXE -trayboot

Attempt to alter the autostart section (Blocked)

===============================================
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
ignore them

the zamailsafe is zone alarm checking your email for suspects

and the icq always wants to autostart to be avaulable when you first boot up.

these shouldn't be found by adwatch as they are necessary processes, but adawatch wrongly sees them as possible baddies

I would suggest you post about this in http://www.lavasoftsupport.com/index.php?act=idx

where the adaware & adwatch developers monitor those forums and can advise better on problems their software experiences and tell you how to overcome it easily
 
Joined
May 2, 2003
Messages
65
number.....

Ad-watch is reporting this because it has not been allowed yet....
It will warn you about all reg changes if set to do so.

If 'Automatic' is selected at the bottom of Ad-watch.
( Note: There is also an option to "Start Ad-watch in Auto-Block mode", it will be located here: Open Ad-aware > Configurations > Automation > "Start Ad-watch in auto-blocking mode")
Any and all suspicious activity will instantly and automatically be blocked.
You will not recieve an alert about the activity, you wont be given the choice to 'Allow' or 'Block' the process or registry change.
If you DONT have 'Automatic' selected;
If a suspicious process or any registry changes are detected you will recieve an alert and be given the option of allowing or blocking the process or change.
Uncheck the option, Click Proceed, close Ad-aware 6 and minimize Ad-watch.
When you get this warning again, allow it.....
If it re-occurs, come to the Lavasoft Support Forums as suggested above...

Have fun........ :D
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top