1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Ad-aware Finds Hi-Wire (again)

Discussion in 'Virus & Other Malware Removal' started by Telstar, Sep 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Telstar

    Telstar Thread Starter

    Joined:
    Jun 19, 2003
    Messages:
    791
    Hi,
    • Windows XP Home
      SP1
      IE6/Firefox 0.8

    Hi-Wire
    Could I get some opinions and/or advice regarding this recent adware intruder.

    My Ad-Aware SE Personal has found it on my computer a few times, including my latest scan today (each time I've sent them to Quarantine. I also run Spybot and have SpywareGuard and SpywareBlaster but only Ad-aware seems to find them)....

    My Ad-Aware screenshot....
    [​IMG]

    Item Detail.....
    Hi-Wire
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[1]=RegKey : S-1-5-21-773119264-677485609-550605251-1003\software\hiwire


    A Google Search found....this article....but I don't have the experience to go messing around with my Registry unless I have step-by-step instructions.

    Thanks for any help or advice,

    Telstar :)
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi Telstar I would post a Hijackthis log for review...do you need the download location and directions,or have you been through the process already?

    Hijackthis will show the Registry entries and you can remove them with it, as well as the files themselves.
    Quite curious that AdAware does not fix this....


    The newest version of HJT:

    http://tools.radiosplace.com/HijackThis.exe

    Be glad to post directions if you need that.
     
  3. Telstar

    Telstar Thread Starter

    Joined:
    Jun 19, 2003
    Messages:
    791
    Hi Byteman, thank you for the quick reply.

    Could it be that I have simply Quarantined but not "deleted" those archives
    in my Ad-Aware? If not, then something is recurring that is placing Hi-Wire
    back in my system.

    Here's my HijackThis logfile. Please have a look at it and I'll follow
    your instructions from there.

    Telstar (y)

    Logfile of HijackThis v1.98.2
    Scan saved at 2:39:23 PM, on 9/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\regprot\regprot.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\[email protected]\[email protected]
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\POP Peeper\POPPeeper.exe
    C:\Program Files\MWSnap\MWSnap.exe
    C:\Program Files\Iconoid\iconoid.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\MSN\MSNCoreFiles\msn.exe
    C:\Program Files\MSN\MSNIA\msniasvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\K-Lite\khancer.exe
    C:\Program Files\K-Lite\kazaa.exe
    C:\Program Files\K-Lite\KaZuperNodes\KaZuperNodes.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis 1.98.2\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netscape.com/index2.psp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [MWSnap] "C:\Program Files\MWSnap\MWSnap.exe"
    O4 - HKCU\..\Run: [Iconoid] "C:\Program Files\Iconoid\iconoid.exe" -wait 5
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F0E54D7F-874B-43B4-AC0B-683140C4A929}: NameServer = 198.6.1.150 198.6.100.150
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I was reading something other day about problems after a certain update from AdAware---get the latest reference files and try again. Either way, you dont want or need Hiwire, so delete the backups from Quarantine so we are looking at new items if something comes back, OK?

    I think it only makes the backups during/just after you hit "Next" to remove items, could be wrong. Older version used to find backups in SpyBot ((Or SpyBot found AAW's)) but I cant say that this is the same now, so I dont have a definite answer for you. Going through the log now...

    Are you sure you have these settings in Adaware--mostly the Full scan--it does take a minute longer, but try:

     
  5. Telstar

    Telstar Thread Starter

    Joined:
    Jun 19, 2003
    Messages:
    791
    Yep, I admit to using the "Smart Scan" and not the "Full Scan".

    Before I scan with Ad-Aware I always check for the latest reference file.

    I'm going to delete the archives, check for updates and re-scan using the Full-Scan mode.

    I have this "unchecked" so I don't get a list of the MRU's.

    I'll let you know the results.

    Telstar
     
  6. Telstar

    Telstar Thread Starter

    Joined:
    Jun 19, 2003
    Messages:
    791
    Ok, after deleting those objects and using the Full-scan in Ad-Aware
    there were NO new objects found. The scan came up clean.

    FYI: 129,323 objects scanned @ 21:28 minutes

    Let me know if there is anything in the HijackThis logfile.
    I like to create an Ignorelist so I can see when any new items are found.

    What I'll do is see if any new Hi-Wire items are found in future scans and,
    if so, I can post again.

    Thanks,
    Telstar (y)
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270465

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice