Solved: "Ad-aware" not removing an intruder

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
I have many security programs in place that I update and run at least weekly. Every time I run "Ad-aware" it finds the same 'bad guy' at the very beginning of the scan. It is classified as a "possible browser hijack attempt," with a 'Type'- "RegData" and a 'Category'- "Data Miner," and 'Object' - "HKEY- - - - ."

I have run “Ad-aware” ‘back to back’ after removing the hijack attempt, only for the scan to find it once again. Why isn’t it being removed? There doesn’t appear to be any ill effect on my well running computer. I use Mozilla as my browser, except to access MS sites. I am running XP Pro SP2.

Thanks for any insights. {redoak}
 

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
Thanks for the response: The "Object" string is:
HKEY_CURRENT_USER:Software\Microsoft\InternetExplorer\Main"StartPage"("about:blank")

Note: I may have missed some caps and some spaces, but I was as careful I could in writing it down and typing it here.

More, possibly pertinent info: "SpywareGuard" does catch changes to my IE start page, which is purposely "blank." I then tell SG to revert to my "about blank" preference.

As noted originally, I hardly ever use IE. {redoak}
 
Joined
Jul 3, 2003
Messages
1,068
As I understand it (though it's never happened to me), many browser hijackers replace your usual home page with a blank page. Thus, having a blank home page, even intentionally, is indicative of a possible hijack and programs like Ad-aware flag it as such even though it isn't.
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
81,716
Redoak:

Download HijackThis 1.99.0 from here, unzip it into a folder that you create for it, run a scan with it, save the log, then post the entire contents of the log here in this post.

---------------------------------------------------------------

You can read about about:blank here.
 

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
"f": Thanks for that insight. As I mentioned at first, none of my security programs ever finds an 'intruder.' However, I will attempt to post a "hijackthis" file to take advantage of your offer to go over it. Please be patient. I think I have it! See below. {redoak}

Logfile of HijackThis v1.99.0
Scan saved at 3:24:17 PM, on 2/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\avgupsvc.exe
D:\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\HewlettPackard\HP Share-to-Web\hpgs2wnd.exe
D:\gcasServ.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\HewlettPackard\HP Share-to-Web\hpgs2wnf.exe
D:\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\SpywareGuard\sgmain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\SpywareGuard\sgbhp.exe
C:\Program Files\AcmeNET\dialer.exe
D:\ARTERAUI.EXE
D:\artera.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\WINDOWS\system32\wuauclt.exe
D:\avgamsvr.exe
D:\avgemc.exe
C:\DOCUME~1\CGS\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.acmenet.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.acmenet.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = e:\My Documents - Usual MD file arrangement\2- Tech Info to be edited\290301 - Description of the Windows Installer CleanUp Utility_files\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = e:\My Documents - Usual MD file arrangement\2- Tech Info to be edited\290301 - Description of the Windows Installer CleanUp Utility_files\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_EMC] D:\avgemc.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\DkIcon.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\HewlettPackard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O4 - Startup: Shortcut to SynTPEnh.exe.lnk = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - Startup: Ad-watch 3.0.lnk = D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://none
O14 - IERESET.INF: MS_START_PAGE_URL=http://none
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E0F9E2C-91DA-4883-96C5-4F0FCBC5054C}: NameServer = 204.97.128.2 204.97.128.4
O23 - Service: Acronis Scheduler2 Service - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Aluria Spyware Eliminator Service - Unknown - D:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - D:\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - D:\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\DkService.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - D:\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
81,716
It looks to me like the hard drive is in 2 partitions( C: and D: ). I guess that's why you have Acronis True Image installed.

---------------------------------------------------------------

You've got unnecessary programs loading during startup and running in the background. If you want to disable them from doing so, click Start - Run, type in MSCONFIG, then click OK - Startup(tab). Uncheck the following:

ati2evxx.exe Read here.
(This one pertains to an ATI graphics card. Personally, I keep all the ATI entries disabled)

hpgs2wnd.exe Read here.

hpgs2wnf.exe
(These 2 pertain to HP Share-To-Web. If you don't use it, uninstall it in Add/Remove Programs and disable these)

---------------------------------------------------------------

Someone more proficient than me needs to look at your log and determine what, if any, needs fixing.

-----------------------------------------------------------------
 
Joined
Sep 7, 2004
Messages
49,014
There is an entry for AdAware 6 – That is not the latest

AdAware SE 1.05 http://www.majorgeeks.com/download506.html

With HJT Mark these entries, close IE and click fix checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = e:\My Documents - Usual MD file arrangement\2- Tech Info to be edited\290301 - Description of the Windows Installer CleanUp Utility_files\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = e:\My Documents - Usual MD file arrangement\2- Tech Info to be edited\290301 - Description of the Windows Installer CleanUp Utility_files\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081

O14 - IERESET.INF: START_PAGE_URL=http://none

O14 - IERESET.INF: MS_START_PAGE_URL=http://none

Boot and post a new log
 

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
Thanks to both of you. I do use a HP scanner. I am familiar with 'msconfig,' so will be able to follow 'f's' suggestions. On the other hand, I will have to take my time with deleting items in the HJT listing; I am not at all familiar with that aspect of HJT. I will also check for an up-to-date download of "Ad-aware."

I performed an "experiment," allowing the IE home page to be altered from "about blank." It went to the main 'MSN' url. When I then ran "Ad-aware" there was no problem found. Therefore, "f's" supposition appears to be correct: "about blank" is seen as a problem by "Ad-aware."

I'll be back as soon as possible with a new HJT log. Thanks again. {redoak}
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
81,716
You're likely using Ad-Aware 6.181, so make sure to upgrade to Ad-Aware SE Personal 1.05. It'll uninstall the old version during the install process before it installs the new version. Make sure to run its update function afterwards and get it up-to-date. (y)

Run another scan with HijackThis and place a checkmark in the ones that MFDnSC advised to, then click "Fix Checked". It's simple enough to do.
 

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
Partial results report:

1. The "ATI" entry does not appear in my 'startup' list.

2. I already have "Ad-aware SE 1.0.5.0" installed. For some reason the "6" still shows in numerous places. I am downloading 1.0.5.0 right now and will reinstall.
 
Joined
Sep 7, 2004
Messages
49,014
Fix this in addition to the previously mentioned ones

O4 - Startup: Ad-watch 3.0.lnk = D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
 

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
"M": I was wrong about having the "SE" version of Ad-a. I now have it in place from all indications. I did not 'fix' your HJT referenced "04" above before running the program. The latest log follows.
I do have multiple partitions on my HDD.

Logfile of HijackThis v1.99.0
Scan saved at 10:46:54 AM, on 2/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\avgamsvr.exe
D:\avgupsvc.exe
D:\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
D:\avgemc.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\HewlettPackard\HP Share-to-Web\hpgs2wnd.exe
D:\gcasDtServ.exe
D:\HewlettPackard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\SpywareGuard\sgmain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\CGS\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.acmenet.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.acmenet.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_EMC] D:\avgemc.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\DkIcon.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\HewlettPackard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O4 - Startup: Shortcut to SynTPEnh.exe.lnk = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - Startup: Ad-watch 3.0.lnk = D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Acronis Scheduler2 Service - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Aluria Spyware Eliminator Service - Unknown - D:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - D:\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - D:\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\DkService.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - D:\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks to all for your attention and help. {redoak}
 
Joined
Sep 7, 2004
Messages
49,014
I would fix

O4 - Startup: Ad-watch 3.0.lnk = D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

as it is not valid with SE

BTW 57 years young, did this for a living and still learning. Go for it!
 

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
"M": This has been like instant messenger this morning! Once again, I sure appreciate your ongoing help. I will take care of that last HJT entry. A very good learning experience for me thanks to the good teachers. {redoak}
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top