When you are using Ad-Aware DON'T CHECK "Perform Smart System Scan", instead "Use custom scanning options"! then click"Customize" and check everything for a maximum security; in the "Scanning" tab and in the "Advanced" tab, check "Scan within archives" "don't skip non executable files", "Scan my IE favorites for banned url", "Scan my Hosts file" etc etc...
This way Ad-aware will be at his maximum efficiency. Hope that helps
| ? posted by Kain |
|
When you are using Ad-Aware DON'T CHECK "Perform Smart System Scan", instead "Use custom scanning options"! then click"Customize" and check everything for a maximum security; in the "Scanning" tab and in the "Advanced" tab, check "Scan within archives" "don't skip non executable files", "Scan my IE favorites for banned url", "Scan my Hosts file" etc etc... This way Ad-aware will be at his maximum efficiency. Hope that helps |
Why was i not informed 
*shakes head*
/starts up adaware
[addsig]
Yep, I've made sure Spybot, Ad-Aware, AVG, Stinger and SwatIt are all fully updated and scanning the most they can. I thought I heard somewhere that some processes hide themselves so that they can't be seen in the task manager. Is this true? Seems like one nasty piece of adware if nothing manages to find it.
Damn, I've had 4 pop-ups while typing this post 
(edit) What's this stuff with Google toolbar? I thought it was an extra search window you stick in IE, but is it something else, or does it do that and something else?
Ha, I found something
I did a Windows search for all files created yesterday and I found some suspicious ones in the C:WindowsPrefetch folder with a .pf extention (prefetch?). These were the only dodgy files found, except for an .xml one. Examples:
ADLINSTALLWIN32.EXE-23B5AD51.pf
ISTINSTALL_ADLOGIX.EXE-02457D56.pf
TRANS.EXE-0E046614.pf
adupdmanager.xml (in c
I see there are some other useful files in here from other programs too though. Could .pf files (and an xml) actually be usable for ad pop-ups? As far as I know, only the last extention of a file counts, so the .exe would be useless.
Other strange things are happening - pasting text takes a few seconds sometimes and the text appears as blank space until I move the cursor about. As I mentioned before, the browser window for the Snarkpit flashes orange (updated I believe) after about 10 seconds when the window isn't selected. I don't know if that's because the adware might be eating up memory, I searched for prefetch in Google and found that prefetch files take up a lot of RAM.
I've searched for the .exe files but I can't find the first one. I'm not sure which ones to delete/zip (to make them unusable) because I don't know if programs need them, and the 'ad' bit is confusing because it could belong to Ad-Aware too. The ISTINSTALL_ADLOGIX.EXE exists, so I think I'll try zipping that along with the .xml (some sort of script run by the ad program that automatically downloads updates?)
Bleh, my head hurts
Nope, I've zipped the xml, 2 ad-ish pfs and the istinstall_adlogix.exe to no avail, they're still popping up. Maybe there's some other program hiding? How do I find out what hidden programs are running? (Ones that don't show up in the task manager)
Did you try running these things in safe mode? Perhaps the adware has some built in spybot protection...It's possible to have a bunch of svchost's but be aware of slight misspellings as many viruses/trojans use similar to system file words. I believe they are there to prioritize different open windows XP and such, although I can't fully recall.
Some services you can untick, but go through the control panel -> administrative tools ->services so you get a full knowledge of what each part is before you decide to allow it or not.
I did a quick search through google and few other places, the highlighted processors are suspect, as there is not enough info or just seems "fishy" so unless you've installed them knowingly, I'd be careful.
JAVAW.EXE (SYSTEM) = Application tied to Java, not troublesome
HJAVAW.EXE (SYSTEM) = something to do with System32Hummingbird...Don't know for sure what this is...
NVSVC32.EXE (SYSTEM) = Nvidia driver helper service
jconfigNT.exe (SYSTEM) = unknown...could be problematic
INETD32.EXE (SYSTEM) = also tied to Hummingbird
Ctsvccda.exe (SYSTEM) = CD-ROM utility services installed by a Creative program/driver.
OffMan.exe (USER) = Intense Language Office?
CTFMON.EXE (USER) = Office Language bar
realsched.exe (USER) = Realplayer horses**t
SPOOLSV.EXE (SYSTEM) = Printer Spool Service (keeps print jobs in memory)
LSASS.EXE (SYSTEM) = "Windows Local Security Authority Server" Service in charge of windows security features, authentication etc.
SERVICES.EXE (SYSTEM) = Application for NT based systems in starting/stopping/using services
CSRSS.EXE (SYSTEM) = "Client/Server Runtime Server Subsystem"
SMSS.EXE (SYSTEM) = Session Manager Subsystem, used to start/stop/manage user/client sessions under Terminal Server
Gorbachev - Thanks for the process descriptions. I do have a program called Intense Language Office installed, and the jconfigNT seems to be to do with Hummingbird I believe (which is another installed program). The svchost files all seem to be the same too.
Jeff - Thanks for the link, it's brought up some useful threads for me to follow.
Another topic www.lavasoftsupport.com/index.php?showtopic=31815 has AdLogix problems (I believe that's the one I have). The file adupdmanager.xml has also been popping up around my C drive too. I've deleted the xmls and password-zipped the exe. The user from the mentioned topic ran a custom Ad-Aware scan and found his problem, but I customised mine to be the same as that and it still turns up just tracking cookies. A Windows search hasn't found any more adlogix, adupdmanager or istinstall files, so I'm hoping I've got rid of it.
What is also mentioned is this topic is the automove.exe file which seems to be a source of Adware. Similarly, I also have an automove.exe in my WindowsSystem32 folder. I moved it to another partition and zipped it, and also removed it from the Startup tab in msconfig.
Hopefully my adware has gone now, I'll just reboot and see how it goes. Again, thanks for all of the help.
i know this was mentioned, but its important enuff to post once more for good measure..
Adaware, and Spybot, do not like each other, run one or the other, but don't install both, unless you are positive of your actions.. Spybot, or Adaware one, will remove parts of the other during cleansing
read my red words again Jeff..
also, although i have seen the warning message myself, i cannot guarantee that everyone will.. each pc is unique after all.
[addsig]My Ad-Aware and Spybot installations don't seem to conflict each other. I think you mentioned it before and I have kept an eye out for any conflict but they seem fine. Thanks for the advice anyway.
Oh, and Happy Birthday!
The adware is still there though. I've deleted some adware-related files but they seem to also be located elsewhere, yet the Windows search feature isn't finding them. Bit of a dead end now, I seem to have used up most of the ideas I have. If I really come to a brick wall then I'll try posting at the Lavasoft (Ad-Aware people) forum.
| ? posted by scary_jeff |
| I read your post properly the first time. You said that adaware or spybot "will remove parts of the other during cleansing" - All I did was say that this didn't happen to me when I was using spybot and adaware at the same time, and gave a possilbe cause for it happening to you. |
both my programs were installed at the time, before i ran either..
don't remember which it was, but i think adaware attempted to remove some spybot stuff.. i had a warning message none the less about it.
anywho's i prefer spybot, it finds things adaware misses.. as i said though, each PC is unique, maybe i have stuff no one else has or would have :/
[addsig]
| ? posted by Rumple |
| i got that message that orph mentioned once but that was on older versions of both Adaware and Spybot S&D, it doesnt seem to be a problem with the newer versions. |
*wipes brow*
jeff had me wondering.. thanx rumple
All clear!
The problem was highlighted when I ran HijackThis, and several spyware entries were found. Deleting any old files can cause damage though so I checked with a security message board and they gave me instructions. There was also a dll in the C:WindowsSystem32 directory called SWin32.dll that I think was related to it, and that file was deleted.
Here's the HijackThis log if you want to see (now removed processes shown in red, ignore the yellow text, they're links):
Logfile of HijackThis v1.97.7
Scan saved at 17:21:00, on 23/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSSYSTEM32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
D:AVGavgcc32.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesUnited DevicesUD.exe
D:Intense Language OfficeCommonOffMan.exe
C:Program FilesUnited Devicesud_7174683.exe
D:AVGavgserv.exe
C:WINDOWSSystem32CTSvcCDA.exe
C:Program FilesUnited Devicesud_7174683_0.dirud_ligfit_Release.exe
C:WINDOWSSystem32HummingbirdConnectivity7.00Inetdinetd32.exe
C:WINDOWSSystem32HummingbirdConnectivity7.00JconfigjconfigdNT.exe
C:WINDOWSSystem32HummingbirdConnectivity7.00Jconfighjavaw.exe
C:WINDOWSSystem32nvsvc32.exe
C:Program FilesJavaSoftJRE1.3.1binjavaw.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32Tablet.exe
D:HijackThisHijackThis.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://news.bbc.co.uk/
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = hermes:3128
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSSYSTEMblank.htm
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:PROGRAM FILESADOBEACROBAT 5.0READERACTIVEXACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:SpyBotSDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:WINDOWSSystem32SWin32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O4 - HKLM..Run: [SystemTray] SysTray.Exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..Run: [WheelMouse] C:WHEELM~1wh_exec.exe
O4 - HKLM..Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM..Run: [QuickTime Task] "D:QuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 - HKLM..Run: [AVG_CC] D:AVGavgcc32.exe /STARTUP
O4 - HKLM..Run: [Adstartup] C:WINDOWSSystem32automove.exe
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - Global Startup: UD Agent.lnk = C:Program FilesUnited DevicesUD.exe
O8 - Extra context menu item: Download with GetRight - D:GetrightGRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:GetrightGRbrowse.htm
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:PROGRA~1INTERN~1PluginsNPDocBox.dll
