Ad-aware 6 + 8 things

Each time I run the Ad-aware I found these , I delete them and the next time they are there again .

Vendor Type Category Object Comment
Possible Browser Hijack attempt RegData Data Miner HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main"Start Page" ("about:blank") Possible browser hijack attempt

Possible Browser Hijack attempt RegData Data Miner HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main"Start Page" ("about:blank") Possible browser hijack attempt

Possible Browser Hijack attempt RegData Data Miner HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main"Search Page" ("file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html") Possible browser hijack attempt

Possible Browser Hijack attempt RegData Data Miner HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main"Search Bar" ("file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html") Possible browser hijack attempt

Possible Browser Hijack attempt RegData Data Miner HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Search"SearchAssistant" ("file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html") Possible browser hijack attempt

Possible Browser Hijack attempt RegData Data Miner HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main"Search Page" ("file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html") Possible browser hijack attempt

Possible Browser Hijack attempt RegData Data Miner HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main"Search Bar" ("file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html") Possible browser hijack attempt

Possible Browser Hijack attempt RegData Data Miner HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search"SearchAssistant" ("file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html") Possible browser hijack attempt

I tried all the software that are in the sticky thread with no benefit

Hi motivation,

Yes, that's a difficult one to remove.

Please download HijackThis. Make sure you install HijackThis to a permanent folder such as C:\HJT as it creates backups of what we will fix. Run the program, click the button at the top "Do a system scan and save a logfile". Save the log to a convenient place such as C:\HJT Notepad will open, copy and paste the entire log into your post. Do not fix anything yet, most of what's in the log is needed!

http://www.majorgeeks.com/download3155.html

Tom

Thanks

Some times also when I log with another username and retuen back , some process doubled
2 for each !!

This is the log

Logfile of HijackThis v1.99.0
Scan saved at 10:56:07 PM, on 1/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\NETWOR~2\COMMON~1\naPrdMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Mdn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LeapFTP\LeapFTP.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE
C:\Documents and Settings\us\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\us\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {4FFFFD12-98F7-4D44-92E8-1DF921F182C2} - C:\WINDOWS\system32\ddbddaa.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {594F4158-25F9-4D33-BF59-927D959D09F6} - C:\WINDOWS\lbbho.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Wah] C:\Program Files\Common Files\Mdn.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Documents and Settings\us\Desktop\Offline_Explorer_Pro_v3[1].3_build_1758\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Documents and Settings\us\Desktop\Offline_Explorer_Pro_v3[1].3_build_1758\Add_AllO.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1024_EN_XP.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.48.49/g_bin/eng/snooker_2_0_0_20.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C09CEF3F-30DD-4AC9-83E9-BDA2C682D07A}: NameServer = 217.17.233.49 193.188.97.209
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Filter: text/html - {7C9B53FE-B91A-4522-95C0-DCA68E56D8FE} - C:\WINDOWS\system32\ddbddaa.dll
O18 - Filter: text/plain - {7C9B53FE-B91A-4522-95C0-DCA68E56D8FE} - C:\WINDOWS\system32\ddbddaa.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: McAfee Desktop Firewall Service - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Please print or copy and paste these instructions into Notepad and save them on your desktop.

Ok these instructions are long and somewhat complicated. If you need help with any of the steps, please ask!

If both user accounts are infected with the same problems mentioned in your last post. Please stay with one user account until it is clean, then we'll move on tho the other account!

These are the tools needed of the fix.

Registrar Lite

CWShredder

Ad-Aware SE Personal Edition version 1.05/


1. Download, install and run Registrar Lite.

2. Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under the programs section of your Start Menu.

3. Once registrar lite is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and press the enter key on your keyboard.

4. You will now be presented with new information in the bottom right and left sections and on the right section and the key called AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs key and write down the text found in the value field. This is the file that is causing the problem. It is possible that there is no file name in the AppInit_DLLs listed in the key when you double-click on it. Please continue with these steps anyways.

5. Exit Registrar Lite

6. Please make sure that you can view all hidden files.

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck hide extensions for known file types.
Uncheck the Hide Protected Operating System Files option.
Click Yes to confirm.
Click OK.

7. Create a new folder on your hard drive called c:\regbackup.

8. Run Registrar Lite again

9. Copy and paste:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

into the address field and press enter on your keyboard. On the left side of the screen the Windows key should be selected and highlighted purple.

10. With the Windows key highlighted click on the File menu, and then click on export.

11. Enter winkey.reg in the name field and change the Save as Type to Regedit4 standard .reg files (*.reg)

12. Change the Save in: dropdown menu to c:\regbackup

13. Then press the Save button

14. With the Windows key highlighted again click on the File menu, and then click on export.

15. Enter Winkey.hiv in the name field and change the Save as Type to Regedt32/WinApi hive files (*.hiv,*.dat, *.*)

16. Change the Save in: dropdown menu to c:\regbackup

17. Then press the Save button

18. When both backups are successfully saved, right-click on the highlighted Windows key and click on the rename option. Rename the Windows key to Windows1.

19. With Windows1 highlighted, look in the right section and double-click on AppInit_DLLs and clear the text in the Value field. That is the dll you have seen previously in Step 4. If a file name does not exist there, then just press the OK button.

20. Rename Windows1 back to Windows and exit the Registrar Lite.

21. Reboot your computer.

22. When you are back at your desktop, navigate to the c:\regback folder. Double-click on the winkey.reg file. When it prompt if you would like to import/merge the data press the Yes button

23. Run Registrar Lite again

24. Copy and paste:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

into the address field and press enter on your keyboard. On the left side of the screen the Windows key should be selected and highlighted purple.

25. While the Windows key is selected (highlighted purple/blue) in the left window, click on File and them Import.

26. Browse to c:\regback and select the winkey.hiv file that we created earlier and press the Open button. Then press the OK button.

27. Now double-click on the AppInit_DLLs key in the right section of the windows and clear the text in the Value field. If their is no DLL listed there, then just press OK.

28. Exit Registrar Lite

29. Now download Cwshredder from the link above.

30. After you download the program, unzip it into the directory c:\cwshredder. Make sure all browser windows are closed and double-click on the cwshredder.exe to start the program.

31. Next click on the FIX button, not the Scan Only button, let it scan your computer. When it is done, exit the program.

32. Next, using Internet Explorer, run both of these two online virus scans:

http://housecall.antivirus.com/

http://www.pandasoftware.com/activescan/

33. Please download and install the latest version of Ad-Aware from the link above.

34. When you run the program make sure you update it and then scan with it and fix any problems it finds.

35. Exit the program when you have fixed it everything it finds.

36. Finally, check to see if the file found in Step 4 still exists on your computer. If it does, delete it.

Please post a fresh HijackThis log.

Credit goes to Grinler for the fix!

Tom

Thanks alot
I will try these after my practical computer exams

Good luck! I hope you get an A+

Tom