1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IAmSad

Discussion in 'Virus & Other Malware Removal' started by michaudl, Sep 13, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. michaudl

    michaudl Thread Starter

    Joined:
    Sep 13, 2003
    Messages:
    6
    Hi,

    My Zone Alarm first inform me that the above program is trying to connect to internet. I refused the connection.

    Since Then, my ad-watch program is telling me about a registry modification every 30 seconds.

    What can I do?

    thank you for your help.

    Luc
    Montréal, canada
     
  2. Lance1

    Lance1

    Joined:
    Aug 4, 2003
    Messages:
    5,613
    Remove it from the ZA program list and see what happens.
     
  3. michaudl

    michaudl Thread Starter

    Joined:
    Sep 13, 2003
    Messages:
    6
    I remove it. The ZA ask me again if i want the program to connect to internet. I stil deny this access.

    Ad-watch still continue to advise me of a registry modification detected every 30 seconds.
     
  4. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Go to http://tomcoyote.org/hjt/ and download HiJackThis. Use Winzip to unzip it, then install and run it. To run, click the “Scan” button. When it's done the "Scan" button changes to "Save Log". Save the log file it creates (it should open in Notepad at that point). Copy and paste the results in your next post. IF you happen to be using a proxy server, please mention it in your post. Most of what it finds is harmless, so do not do anything yet. Someone will be glad to help you sort out any of the baddies that may be in there.
     
  5. prospect

    prospect

    Joined:
    Jun 13, 2002
    Messages:
    1,354
    What exacatly does Hi Jack this do?
     
  6. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    HiJack This shows browser home and search page hijacks, hence it's name. But it goes on to show BHO's toolbars that have spyware or adware attached to them.

    It also lists all the programs that run at start up. Since much bloteware and spyware, virus, trojans and so on all want to be running when you first start your PC, it becomes a powerful tool in helping us spot anything in the way of spyware, virii and so on, on your computer.
     
  7. prospect

    prospect

    Joined:
    Jun 13, 2002
    Messages:
    1,354
    I'm gonna have to go get it and play with it. Thanks!
     
  8. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Look over in the security forum and you will see a lot of HJT logs posted.

    BTW, what part of Chicago?
     
  9. michaudl

    michaudl Thread Starter

    Joined:
    Sep 13, 2003
    Messages:
    6
    Logfile of HijackThis v1.97.2
    Scan saved at 07:47:11, on 2003-09-14
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\WINDOWS\System32\IAMSAD.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Internet Call Manager\Icm.exe
    C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Stealther\stealth27.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\Program Files\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Program Files\Grisoft\AVG7\avgwb.dat
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\cracks3\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:14000
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\Avg6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [NAV Auto Update] IAMSAD.EXE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
    O4 - Startup: zonealarm pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O4 - Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
    O4 - Startup: Internet Call Manager.LNK = C:\Program Files\Internet Call Manager\ICM.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: McAfee.com SpamKiller.lnk = C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
    O4 - Startup: AVG Control Center.lnk = C:\Program Files\Grisoft\AVG7\avgcc.exe
    O4 - Startup: Stealther.lnk = C:\Program Files\Stealther\stealth27.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
    O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: NeoTrace It! (HKCU)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{90329B32-1797-4851-8206-2D94C4F36EC9}: NameServer = 142.169.1.16 199.84.242.22
     
  10. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
  11. michaudl

    michaudl Thread Starter

    Joined:
    Sep 13, 2003
    Messages:
    6
    Hi normmork,

    This is the scan you ask. I simply put one file under my ignore list in aa6 because if i removed it, my Kazaa doesn't work. Thank you for your help (that's include NiteHawk) because this problem is getting on my nerve and I hope than i will get out of this with less arm than Beamer_nm.

    Lavasoft Ad-aware Professional Build 6.181
    Logfile created on :14 septembre, 2003 17:12:15
    Using reference-file :01R218 13.09.2003
    ______________________________________________________

    Reffile status:
    =========================
    Reference file loaded:
    Reference Number : 01R218 13.09.2003
    Internal build : 108
    File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
    Total size : 580291 Bytes
    Signature data size : 569084 Bytes
    Reference data size : 11143 Bytes
    Signatures total : 13086
    Target categories : 10
    Target families : 271

    Memory + processor status:
    ==========================
    Number of processors : 1
    Processor architecture : Intel Pentium IV
    Memory available:54 %
    Total physical memory:523808 kb
    Available physical memory:279620 kb
    Total page file size:1278340 kb
    Available on page file:620120 kb
    Total virtual memory:2097024 kb
    Available virtual memory:2047712 kb
    OS:

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Move deleted files to recycle bin
    Set : Safe mode (always request confirmation)
    Set : Skip non executable files
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file

    Extended Ad-aware Settings
    =========================
    Set : Unload recognized processes during scanning
    Set : Include info about ignored objects in logfile, if detected in scan
    Set : Include basic Ad-aware settings in logfile
    Set : Include additional Ad-aware settings in logfile
    Set : Include used command line parameters in logfile
    Set : Automatically mark all objects in result list
    Set : Automatically try to unregister objects prior to deletion
    Set : XP/2000: Allow unloading explorer to unload shell extensions prior deletion)
    Set : Let windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Block Popups and banned sites
    Set : Automatically save event log on close
    Set : Log Ad-aware events
    Set : Show splash screen
    Set : Always back up reference file, before updating
    Set : Play sound if scan produced a result


    2003-09-14 17:12:15 - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 2003-09-14 21:02:42
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 2003-09-14 21:02:47
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 2003-09-14 21:02:49
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Applications Services et Contr
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Syst
    Created on : 2001-08-28 16:00:00
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2001-08-28 16:00:00

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 2003-09-14 21:02:49
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 2001-08-28 16:00:00
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2002-08-29 18:45:10

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 2003-09-14 21:02:51
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 2001-08-28 16:00:00
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2001-08-28 16:00:00

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-09-14 21:02:51
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 2001-08-28 16:00:00
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2001-08-28 16:00:00

    #:7 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 2003-09-14 21:02:55
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 2001-08-28 16:00:00
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2001-08-28 16:00:00

    #:8 [avgamsvr.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG7\
    ThreadCreationTime : 2003-09-14 21:02:55
    BasePriority : Normal
    FileSize : 187 KB
    FileVersion : 7,0,0,175
    ProductVersion : 7.0.0.175
    Copyright : Copyright
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Alert Manager
    InternalName : avgamsvr
    OriginalFilename : avgamsvr.EXE
    ProductName : AVG Anti-Virus System
    Created on : 2003-09-11 23:20:14
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2003-09-11 23:20:16

    #:9 [avgupsvc.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG7\
    ThreadCreationTime : 2003-09-14 21:02:55
    BasePriority : Normal
    FileSize : 22 KB
    FileVersion : 7,0,0,132
    ProductVersion : 7.0.0.132
    Copyright : Copyright
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Update Service
    InternalName : avgupsvc
    OriginalFilename : avgupdsvc.EXE
    ProductName : AVG 7.0 Anti-Virus System
    Created on : 2003-09-09 01:59:12
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2003-09-09 01:59:14

    #:10 [ctsvccda.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-09-14 21:02:55
    BasePriority : Normal
    FileSize : 43 KB
    FileVersion : 1.0.1.0
    ProductVersion : 1.0.0.0
    Copyright : Copyright (c) Creative Technology Ltd., 1999. All rights reserved.
    CompanyName : Creative Technology Ltd
    FileDescription : Creative Service for CDROM Access
    InternalName : CTsvcCDAEXE
    OriginalFilename : CTsvcCDA.EXE
    ProductName : Creative Service for CDROM Access
    Created on : 2002-09-27 10:56:12
    Last accessed : 2003-09-14 04:00:00
    Last modified : 1999-12-13 05:01:00

    #:11 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-09-14 21:02:55
    BasePriority : Normal
    FileSize : 60 KB
    FileVersion : 6.13.10.3082
    ProductVersion : 6.13.10.3082
    Copyright : (c) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 30.82
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 30.82
    Created on : 2002-11-13 22:40:43
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2002-07-16 16:16:00

    #:12 [tcpsvcs.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-09-14 21:02:56
    BasePriority : Normal
    FileSize : 19 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : TCP/IP Services Application
    InternalName : TCPSVCS.EXE
    OriginalFilename : TCPSVCS.EXE
    ProductName : Microsoft
    Created on : 2001-08-28 16:00:00
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2001-08-28 16:00:00

    #:13 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-09-14 21:02:56
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 2001-08-28 16:00:00
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2001-08-28 16:00:00

    #:14 [mspmspsv.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-09-14 21:02:56
    BasePriority : Normal
    FileSize : 52 KB
    FileVersion : 7.00.00.1954
    ProductVersion : 7.00.00.1954
    Copyright : Copyright (C) Microsoft Corp. 1981-2000
    CompanyName : Microsoft Corporation
    FileDescription : WMDM PMSP Service
    InternalName : MSPMSPSV.EXE
    OriginalFilename : MSPMSPSV.EXE
    ProductName : Microsoft (R) DRM
    Created on : 2000-06-26 11:44:20
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2000-06-26 11:44:20

    #:15 [devldr32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-09-14 21:03:09
    BasePriority : Normal
    FileSize : 25 KB
    FileVersion : 1, 0, 0, 22
    ProductVersion : 1, 0, 0, 22
    Copyright : Copyright
    CompanyName : Creative Technology Ltd.
    FileDescription : DevLdr32
    InternalName : DevLdr
    OriginalFilename : DevLdr32.exe
    ProductName : Creative Ring3 NT Inteface
    Created on : 2002-09-24 04:12:51
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2001-08-31 05:44:30

    #:16 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 2003-09-14 21:03:13
    BasePriority : Normal
    FileSize : 977 KB
    FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
    ProductVersion : 6.00.2800.1221
    CompanyName : Microsoft Corporation
    FileDescription : Explorateur Windows
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Syst
    Created on : 2003-05-29 15:49:48
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2003-05-29 15:49:48

    #:17 [dap.exe]
    FilePath : C:\PROGRA~1\DAP\
    ThreadCreationTime : 2003-09-14 21:03:20
    BasePriority : Normal
    FileSize : 1412 KB
    FileVersion : 5, 3, 9, 6
    ProductVersion : 5, 3, 9, 6
    Copyright : Copyright (C) 1999 - 2003 SpeedBit Ltd
    CompanyName : SpeedBit Ltd.
    FileDescription : Download Accelerator Plus
    InternalName : DAP
    OriginalFilename : DAP.EXE
    ProductName : Download Accelerator Plus
    Created on : 2002-12-29 12:15:09
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2003-08-25 00:52:44

    #:18 [ad-watch.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 2003-09-14 21:03:21
    BasePriority : Normal
    FileSize : 383 KB
    FileVersion : 3.1.2.17
    ProductVersion : 3.0
    Copyright : 2001-2003 Team Lavasoft
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-watch Monitor
    InternalName : Ad-watch.exe
    OriginalFilename : Ad-watch.exe
    ProductName : Ad-aware 6
    Created on : 2003-09-12 02:07:27
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2003-02-13 02:04:42

    #:19 [iamsad.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-09-14 21:03:21
    BasePriority : Normal
    FileSize : 52 KB
    Created on : 2003-09-12 22:23:48
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2003-09-12 22:07:18

    #:20 [ctfmon.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-09-14 21:03:21
    BasePriority : Normal
    FileSize : 13 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    OriginalFilename : CTFMON.EXE
    ProductName : Microsoft
    Created on : 2002-09-24 01:11:55
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2002-08-29 18:45:10

    #:21 [popfilter.exe]
    FilePath : C:\Program Files\Meaya\Popup Ad Filter\
    ThreadCreationTime : 2003-09-14 21:03:21
    BasePriority : Normal
    FileSize : 262 KB
    Created on : 2001-05-21 06:32:05
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2001-05-21 06:32:06

    #:22 [cursorxp.exe]
    FilePath : C:\Program Files\CursorXP\
    ThreadCreationTime : 2003-09-14 21:03:21
    BasePriority : High
    FileSize : 77 KB
    FileVersion : 1, 2, 0, 0
    ProductVersion : 1, 2, 0, 0
    Copyright : Copyright
    FileDescription : CursorXP
    InternalName : CursorXP
    OriginalFilename : CursorEx.exe
    ProductName : Stardock CursorXP
    Created on : 2003-03-23 16:31:19
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2002-06-19 02:52:00

    #:23 [zapro.exe]
    FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
    ThreadCreationTime : 2003-09-14 21:03:23
    BasePriority : Normal
    FileSize : 413 KB
    FileVersion : 4.0.123.012
    ProductVersion : 4.0.123.012
    Copyright : Copyright
    CompanyName : Zone Labs Inc.
    FileDescription : ZoneAlarm Pro
    InternalName : zapro
    OriginalFilename : zapro.exe
    ProductName : ZoneAlarm Pro
    Created on : 2003-04-06 16:38:53
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2003-06-10 04:02:44

    #:24 [icm.exe]
    FilePath : C:\Program Files\Internet Call Manager\
    ThreadCreationTime : 2003-09-14 21:03:24
    BasePriority : Normal
    FileSize : 1600 KB
    FileVersion : 8, 1, 0, 21
    ProductVersion : 8, 1, 0, 21
    Copyright : Copyright (C) 1996-2002
    CompanyName : InfoInterActive Corp.
    FileDescription : ICM Client Application
    InternalName : ICM Client
    OriginalFilename : ICM.EXE
    ProductName : Internet Call Manager
    Created on : 2002-09-16 23:35:30
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2002-09-23 17:10:38

    #:25 [spamkiller.exe]
    FilePath : C:\Program Files\McAfee.com\SpamKiller\
    ThreadCreationTime : 2003-09-14 21:03:25
    BasePriority : Normal
    FileSize : 2353 KB
    FileVersion : 4.0.40.0
    ProductVersion : 4.0
    Copyright : Copyright
    CompanyName : McAfee.com
    FileDescription : SpamKiller
    InternalName : SpamKiller
    OriginalFilename : SPAMKILLER.EXE
    ProductName : SpamKiller
    Created on : 2003-06-18 00:03:14
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2002-08-31 01:48:56

    #:26 [avgcc.exe]
    FilePath : C:\Program Files\Grisoft\AVG7\
    ThreadCreationTime : 2003-09-14 21:03:26
    BasePriority : Normal
    FileSize : 277 KB
    FileVersion : 7,0,0,174
    ProductVersion : 7.0.0.174
    Copyright : Copyright
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG Control Center
    InternalName : AvgCC
    OriginalFilename : AvgCC.EXE
    ProductName : AVG Anti-Virus System
    Created on : 2003-09-11 23:20:14
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2003-09-11 23:20:16

    #:27 [stealth27.exe]
    FilePath : C:\Program Files\Stealther\
    ThreadCreationTime : 2003-09-14 21:03:27
    BasePriority : Normal
    FileSize : 1145 KB
    FileVersion : 2.7.0.0
    ProductVersion : 2.6
    Copyright : 2000 Thorsten Schmidt
    CompanyName : Photono Software
    FileDescription : Saves your privacy by using the Super Stealth Technology
    InternalName : sa
    ProductName : Stealther
    Created on : 2003-09-13 19:03:52
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2001-10-27 04:04:20

    #:28 [vsmon.exe]
    FilePath : C:\WINDOWS\SYSTEM32\ZONELABS\
    ThreadCreationTime : 2003-09-14 21:03:30
    BasePriority : Normal
    FileSize : 873 KB
    FileVersion : 4.0.123.012
    ProductVersion : 4.0.123.012
    Copyright : Copyright
    CompanyName : Zone Labs Inc.
    FileDescription : TrueVector Service
    InternalName : vsmon
    OriginalFilename : vsmon.exe
    ProductName : TrueVector Service
    Created on : 2003-01-18 18:24:45
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2003-06-10 04:02:12

    #:29 [avgemc.exe]
    FilePath : C:\Program Files\Grisoft\AVG7\
    ThreadCreationTime : 2003-09-14 21:03:40
    BasePriority : Normal
    FileSize : 170 KB
    FileVersion : 7,0,0,159
    ProductVersion : 7.0.0.159
    Copyright : Copyright
    CompanyName : GRISOFT, s.r.o.
    FileDescription : AVG E-Mail Scanner
    InternalName : avgemc
    OriginalFilename : avgemc.exe
    ProductName : AVG Anti-Virus System
    Created on : 2003-09-09 03:29:24
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2003-09-09 03:29:26

    #:30 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 2003-09-14 21:05:28
    BasePriority : Normal
    FileSize : 89 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    OriginalFilename : IEXPLORE.EXE
    ProductName : Syst
    Created on : 2002-09-24 01:23:15
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2002-08-29 18:45:10

    #:31 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 2003-09-14 21:07:49
    BasePriority : Normal
    FileSize : 724 KB
    FileVersion : 6.0.1.183
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 2003-09-12 02:07:28
    Last accessed : 2003-09-14 04:00:00
    Last modified : 2003-07-13 02:01:58

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    TopSearch Object recognized but ignored
    Type : File
    Data : topsearch.dll
    Category : Data Miner
    Comment :
    Object : C:\Program Files\KaZaA\topsearch.dll


    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Deep scanning and examining files (D:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Disk scan result for D:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Hosts file scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    1 entries scanned.
    New objects :0
    Objects found so far: 0



    17:15:16 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:03:01:63
    Objects scanned :89238
    Objects identified :0
    Objects ignored :1
    New objects :0
     
  12. Top Banana

    Top Banana

    Joined:
    Nov 10, 2002
    Messages:
    1,344
    Fix with HijackThis:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [NAV Auto Update] IAMSAD.EXE

    Terminate IAMSAD.EXE in Task Manager and delete C:\WINDOWS\System32\IAMSAD.EXE file.
     
  13. michaudl

    michaudl Thread Starter

    Joined:
    Sep 13, 2003
    Messages:
    6
    Thanks Top Banana.

    I just dit that. I scan with Spyboot and there were no problems spotted.
    I reboot.

    Run Hijackthis Again and IAmSad.exe is still there. This is the last log from HijackThis:

    Logfile of HijackThis v1.97.2
    Scan saved at 18:40:46, on 2003-09-14
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\WINDOWS\System32\IAMSAD.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Internet Call Manager\Icm.exe
    C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Stealther\stealth27.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\Program Files\Grisoft\AVG7\avgemc.exe
    C:\cracks3\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:14000
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\Avg6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [NAV Auto Update] IAMSAD.EXE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
    O4 - Startup: zonealarm pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O4 - Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
    O4 - Startup: Internet Call Manager.LNK = C:\Program Files\Internet Call Manager\ICM.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: McAfee.com SpamKiller.lnk = C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
    O4 - Startup: AVG Control Center.lnk = C:\Program Files\Grisoft\AVG7\avgcc.exe
    O4 - Startup: Stealther.lnk = C:\Program Files\Stealther\stealth27.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
    O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: NeoTrace It! (HKCU)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.6042592593
     
  14. Top Banana

    Top Banana

    Joined:
    Nov 10, 2002
    Messages:
    1,344
    Scan with HijackThis, put a checkmark at and "Fix checked" the following entries.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [NAV Auto Update] IAMSAD.EXE

    Terminate IAMSAD.EXE in Task Manager and delete C:\WINDOWS\System32\IAMSAD.EXE file.
     
  15. michaudl

    michaudl Thread Starter

    Joined:
    Sep 13, 2003
    Messages:
    6
    Sorry Top Banana,

    I taugh I did everything the first time but i forgot to delete the system32/IAMSAD.EXE

    So, I do it again but this time deleting the IAMSAD.exe file and everything is now ok.

    Thanks to you and to all

    But, can you tell me how did you select the good line in the hijackthis program?

    Were this IAMSAD.exe came from?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164624

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice