1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: "Ad-aware" not removing an intruder

Discussion in 'All Other Software' started by redoak, Feb 10, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. redoak

    redoak Gone but never forgotten Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    6,782
    I have many security programs in place that I update and run at least weekly. Every time I run "Ad-aware" it finds the same 'bad guy' at the very beginning of the scan. It is classified as a "possible browser hijack attempt," with a 'Type'- "RegData" and a 'Category'- "Data Miner," and 'Object' - "HKEY- - - - ."

    I have run “Ad-aware” ‘back to back’ after removing the hijack attempt, only for the scan to find it once again. Why isn’t it being removed? There doesn’t appear to be any ill effect on my well running computer. I use Mozilla as my browser, except to access MS sites. I am running XP Pro SP2.

    Thanks for any insights. {redoak}
     
  2. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,605
    First Name:
    James
    what's the name of the object?
     
  3. redoak

    redoak Gone but never forgotten Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    6,782
    Thanks for the response: The "Object" string is:
    HKEY_CURRENT_USER:Software\Microsoft\InternetExplorer\Main"StartPage"("about:blank")

    Note: I may have missed some caps and some spaces, but I was as careful I could in writing it down and typing it here.

    More, possibly pertinent info: "SpywareGuard" does catch changes to my IE start page, which is purposely "blank." I then tell SG to revert to my "about blank" preference.

    As noted originally, I hardly ever use IE. {redoak}
     
  4. md2lgyk

    md2lgyk

    Joined:
    Jul 3, 2003
    Messages:
    1,068
    As I understand it (though it's never happened to me), many browser hijackers replace your usual home page with a blank page. Thus, having a blank home page, even intentionally, is indicative of a possible hijack and programs like Ad-aware flag it as such even though it isn't.
     
  5. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    78,959
    First Name:
    Frank
    Redoak:

    Download HijackThis 1.99.0 from here, unzip it into a folder that you create for it, run a scan with it, save the log, then post the entire contents of the log here in this post.

    ---------------------------------------------------------------

    You can read about about:blank here.
     
  6. redoak

    redoak Gone but never forgotten Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    6,782
    "f": Thanks for that insight. As I mentioned at first, none of my security programs ever finds an 'intruder.' However, I will attempt to post a "hijackthis" file to take advantage of your offer to go over it. Please be patient. I think I have it! See below. {redoak}

    Logfile of HijackThis v1.99.0
    Scan saved at 3:24:17 PM, on 2/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    D:\avgupsvc.exe
    D:\DkService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    D:\HewlettPackard\HP Share-to-Web\hpgs2wnd.exe
    D:\gcasServ.exe
    D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    D:\HewlettPackard\HP Share-to-Web\hpgs2wnf.exe
    D:\gcasDtServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    D:\SpywareGuard\sgmain.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    D:\SpywareGuard\sgbhp.exe
    C:\Program Files\AcmeNET\dialer.exe
    D:\ARTERAUI.EXE
    D:\artera.exe
    C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
    C:\WINDOWS\system32\wuauclt.exe
    D:\avgamsvr.exe
    D:\avgemc.exe
    C:\DOCUME~1\CGS\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.acmenet.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.acmenet.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = e:\My Documents - Usual MD file arrangement\2- Tech Info to be edited\290301 - Description of the Windows Installer CleanUp Utility_files\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = e:\My Documents - Usual MD file arrangement\2- Tech Info to be edited\290301 - Description of the Windows Installer CleanUp Utility_files\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_EMC] D:\avgemc.exe
    O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [DiskeeperSystray] "D:\DkIcon.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\HewlettPackard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
    O4 - Startup: Shortcut to SynTPEnh.exe.lnk = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - Startup: Ad-watch 3.0.lnk = D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://none
    O14 - IERESET.INF: MS_START_PAGE_URL=http://none
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E0F9E2C-91DA-4883-96C5-4F0FCBC5054C}: NameServer = 204.97.128.2 204.97.128.4
    O23 - Service: Acronis Scheduler2 Service - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Aluria Spyware Eliminator Service - Unknown - D:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - D:\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - D:\avgupsvc.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - D:\DkService.exe
    O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - D:\WinStylerThemeSvc.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
     
  7. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    78,959
    First Name:
    Frank
    It looks to me like the hard drive is in 2 partitions( C: and D: ). I guess that's why you have Acronis True Image installed.

    ---------------------------------------------------------------

    You've got unnecessary programs loading during startup and running in the background. If you want to disable them from doing so, click Start - Run, type in MSCONFIG, then click OK - Startup(tab). Uncheck the following:

    ati2evxx.exe Read here.
    (This one pertains to an ATI graphics card. Personally, I keep all the ATI entries disabled)

    hpgs2wnd.exe Read here.

    hpgs2wnf.exe
    (These 2 pertain to HP Share-To-Web. If you don't use it, uninstall it in Add/Remove Programs and disable these)

    ---------------------------------------------------------------

    Someone more proficient than me needs to look at your log and determine what, if any, needs fixing.

    -----------------------------------------------------------------
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    There is an entry for AdAware 6 – That is not the latest

    AdAware SE 1.05 http://www.majorgeeks.com/download506.html

    With HJT Mark these entries, close IE and click fix checked

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = e:\My Documents - Usual MD file arrangement\2- Tech Info to be edited\290301 - Description of the Windows Installer CleanUp Utility_files\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = e:\My Documents - Usual MD file arrangement\2- Tech Info to be edited\290301 - Description of the Windows Installer CleanUp Utility_files\blank.htm

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081

    O14 - IERESET.INF: START_PAGE_URL=http://none

    O14 - IERESET.INF: MS_START_PAGE_URL=http://none

    Boot and post a new log
     
  9. redoak

    redoak Gone but never forgotten Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    6,782
    Thanks to both of you. I do use a HP scanner. I am familiar with 'msconfig,' so will be able to follow 'f's' suggestions. On the other hand, I will have to take my time with deleting items in the HJT listing; I am not at all familiar with that aspect of HJT. I will also check for an up-to-date download of "Ad-aware."

    I performed an "experiment," allowing the IE home page to be altered from "about blank." It went to the main 'MSN' url. When I then ran "Ad-aware" there was no problem found. Therefore, "f's" supposition appears to be correct: "about blank" is seen as a problem by "Ad-aware."

    I'll be back as soon as possible with a new HJT log. Thanks again. {redoak}
     
  10. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    78,959
    First Name:
    Frank
    You're likely using Ad-Aware 6.181, so make sure to upgrade to Ad-Aware SE Personal 1.05. It'll uninstall the old version during the install process before it installs the new version. Make sure to run its update function afterwards and get it up-to-date. (y)

    Run another scan with HijackThis and place a checkmark in the ones that MFDnSC advised to, then click "Fix Checked". It's simple enough to do.
     
  11. redoak

    redoak Gone but never forgotten Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    6,782
    Partial results report:

    1. The "ATI" entry does not appear in my 'startup' list.

    2. I already have "Ad-aware SE 1.0.5.0" installed. For some reason the "6" still shows in numerous places. I am downloading 1.0.5.0 right now and will reinstall.
     
  12. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Fix this in addition to the previously mentioned ones

    O4 - Startup: Ad-watch 3.0.lnk = D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
     
  13. redoak

    redoak Gone but never forgotten Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    6,782
    "M": I was wrong about having the "SE" version of Ad-a. I now have it in place from all indications. I did not 'fix' your HJT referenced "04" above before running the program. The latest log follows.
    I do have multiple partitions on my HDD.

    Logfile of HijackThis v1.99.0
    Scan saved at 10:46:54 AM, on 2/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    D:\avgamsvr.exe
    D:\avgupsvc.exe
    D:\DkService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    D:\avgemc.exe
    C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    D:\HewlettPackard\HP Share-to-Web\hpgs2wnd.exe
    D:\gcasDtServ.exe
    D:\HewlettPackard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    D:\SpywareGuard\sgmain.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    D:\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\DOCUME~1\CGS\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.acmenet.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.acmenet.net
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_EMC] D:\avgemc.exe
    O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [DiskeeperSystray] "D:\DkIcon.exe"
    O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\HewlettPackard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
    O4 - Startup: Shortcut to SynTPEnh.exe.lnk = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - Startup: Ad-watch 3.0.lnk = D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Acronis Scheduler2 Service - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Aluria Spyware Eliminator Service - Unknown - D:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - D:\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - D:\avgupsvc.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - D:\DkService.exe
    O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - D:\WinStylerThemeSvc.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

    Thanks to all for your attention and help. {redoak}
     
  14. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    I would fix

    O4 - Startup: Ad-watch 3.0.lnk = D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

    as it is not valid with SE

    BTW 57 years young, did this for a living and still learning. Go for it!
     
  15. redoak

    redoak Gone but never forgotten Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    6,782
    "M": This has been like instant messenger this morning! Once again, I sure appreciate your ongoing help. I will take care of that last HJT entry. A very good learning experience for me thanks to the good teachers. {redoak}
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/328825

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice