Ad-aware Finds Hi-Wire (again)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Telstar

Thread Starter
Joined
Jun 19, 2003
Messages
791
Hi,
  • Windows XP Home
    SP1
    IE6/Firefox 0.8
Hi-Wire
Could I get some opinions and/or advice regarding this recent adware intruder.

My Ad-Aware SE Personal has found it on my computer a few times, including my latest scan today (each time I've sent them to Quarantine. I also run Spybot and have SpywareGuard and SpywareBlaster but only Ad-aware seems to find them)....

My Ad-Aware screenshot....


Item Detail.....
Hi-Wire
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[1]=RegKey : S-1-5-21-773119264-677485609-550605251-1003\software\hiwire


A Google Search found....this article....but I don't have the experience to go messing around with my Registry unless I have step-by-step instructions.

Thanks for any help or advice,

Telstar :)
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi Telstar I would post a Hijackthis log for review...do you need the download location and directions,or have you been through the process already?

Hijackthis will show the Registry entries and you can remove them with it, as well as the files themselves.
Quite curious that AdAware does not fix this....


The newest version of HJT:

http://tools.radiosplace.com/HijackThis.exe

Be glad to post directions if you need that.
 

Telstar

Thread Starter
Joined
Jun 19, 2003
Messages
791
Byteman said:
Hijackthis will show the Registry entries and you can remove them with it, as well as the files themselves.
Quite curious that AdAware does not fix this....
Hi Byteman, thank you for the quick reply.

Could it be that I have simply Quarantined but not "deleted" those archives
in my Ad-Aware? If not, then something is recurring that is placing Hi-Wire
back in my system.

Here's my HijackThis logfile. Please have a look at it and I'll follow
your instructions from there.

Telstar (y)

Logfile of HijackThis v1.98.2
Scan saved at 2:39:23 PM, on 9/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\regprot\regprot.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\[email protected]\[email protected]
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\MWSnap\MWSnap.exe
C:\Program Files\Iconoid\iconoid.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\K-Lite\khancer.exe
C:\Program Files\K-Lite\kazaa.exe
C:\Program Files\K-Lite\KaZuperNodes\KaZuperNodes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis 1.98.2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netscape.com/index2.psp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MWSnap] "C:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [Iconoid] "C:\Program Files\Iconoid\iconoid.exe" -wait 5
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0E54D7F-874B-43B4-AC0B-683140C4A929}: NameServer = 198.6.1.150 198.6.100.150
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, I was reading something other day about problems after a certain update from AdAware---get the latest reference files and try again. Either way, you dont want or need Hiwire, so delete the backups from Quarantine so we are looking at new items if something comes back, OK?

I think it only makes the backups during/just after you hit "Next" to remove items, could be wrong. Older version used to find backups in SpyBot ((Or SpyBot found AAW's)) but I cant say that this is the same now, so I dont have a definite answer for you. Going through the log now...

Are you sure you have these settings in Adaware--mostly the Full scan--it does take a minute longer, but try:

LD Tate said:
Ad-Aware FULL SCAN:


First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)


Restart your computer.
 

Telstar

Thread Starter
Joined
Jun 19, 2003
Messages
791
Byteman said:
Hi, I was reading something other day about problems after a certain update from AdAware---get the latest reference files and try again. Either way, you dont want or need Hiwire, so delete the backups from Quarantine so we are looking at new items if something comes back, OK?
I think it only makes the backups during/just after you hit "Next" to remove items, could be wrong. Older version used to find backups in SpyBot ((Or SpyBot found AAW's)) but I cant say that this is the same now, so I dont have a definite answer for you. Going through the log now...
Are you sure you have these settings in Adaware--mostly the Full scan--it does take a minute longer, but try:
Yep, I admit to using the "Smart Scan" and not the "Full Scan".

Before I scan with Ad-Aware I always check for the latest reference file.

I'm going to delete the archives, check for updates and re-scan using the Full-Scan mode.

Next deselect Search for negligible risk entries.
I have this "unchecked" so I don't get a list of the MRU's.

I'll let you know the results.

Telstar
 

Telstar

Thread Starter
Joined
Jun 19, 2003
Messages
791
Ok, after deleting those objects and using the Full-scan in Ad-Aware
there were NO new objects found. The scan came up clean.

FYI: 129,323 objects scanned @ 21:28 minutes

Let me know if there is anything in the HijackThis logfile.
I like to create an Ignorelist so I can see when any new items are found.

What I'll do is see if any new Hi-Wire items are found in future scans and,
if so, I can post again.

Thanks,
Telstar (y)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top