[Zach Oldenburg]

I system restored my computer, then got all the neccesaries. Few days into it, I got AdAware and all of a sudden adware starts up. I delete AdAware. Just totally uninstall it, and nothing. The URL's of the ad's are like this:



Notice the checker board. It's on all the pop-ups.

BUT, the URL's aren't always innocent like that. They first are something along the lines of "http://a-d-a-w-a-r-e.com/blah" or "http://adaware.com/blah" then redirect to the one above.


So I got Secretmaker, an all-in one program, which got rid of it, but after each computer restart, I've had to start up the program to reinsure no ads.

Just yesterday, I restarted and I started Secretmaker very first, as all programs were starting up, and I'm not sure what went wrong but the ad's are getting by the program. I restarted again and did what I usually do and still the same. It's like they're smarter now.

I reinstalled Adaware and ran it, then deleted the critical objects, but still... no change.


HELP!

[Advertisements]

Hi Zach

Welcome to G2G!

Please do this:

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[Flrman1]

Hi Zach

Welcome to G2G!

Please do this:

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[Zach Oldenburg]

Logfile of HijackThis v1.99.1
Scan saved at 4:33:30 PM, on 3/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\SAVScan.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\Trillian\trillian.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\explorer.exe
E:\PROGRAM FILES\OPERA\OPERA.EXE
E:\Program Files\Secretmaker\secretmaker.exe
E:\Documents and Settings\All Users\Desktop\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Ad Annihilator - {A1C18A7B-55E9-4DA3-A880-D112C791A9D8} - E:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BearShare] "E:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Trillian.lnk = E:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SECRETMAKER.lnk = E:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: [Add to organizer] - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3250
O8 - Extra context menu item: [Block this banner] Ctrl+Alt+B - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3245
O8 - Extra context menu item: [Block this popup] Ctrl+Alt+K - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3256
O8 - Extra context menu item: [Find blocking filter] Ctrl+Alt+F - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3254
O8 - Extra context menu item: [Find this resource in resource list] Ctrl+Alt+L - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3253
O8 - Extra context menu item: [Locate target document] - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3255
O8 - Extra context menu item: [Open all links] - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3247
O8 - Extra context menu item: [Resume resource loading] Ctrl+Alt+R - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3251
O8 - Extra context menu item: [Show/hide menu and toolbars] Ctrl+Alt+M - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3252
O8 - Extra context menu item: [Unblock this banner] Ctrl+Alt+U - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3246
O8 - Extra context menu item: [Unblock this popup] Ctrl+Alt+A - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3257
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ad Annihilator Options - {6715FB17-6DC8-4ff8-8CED-9BEFC28E2704} - E:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {6715FB17-6DC8-4ff8-8CED-9BEFC28E2704} - E:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra button: (no name) - {BB15D76F-6189-4c89-A9F8-CED4F9D01328} - E:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {BB15D76F-6189-4c89-A9F8-CED4F9D01328} - E:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O20 - Winlogon Notify: MediaContentIndex - E:\WINDOWS\system32\n4r20e9oeh.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Flrman1]

Before we can provide you any assistance, you need to go here and install "Service Pack 1" This will patch numerous security holes in IE and Windows. Many baddies get on your machine by taking advantage of these vulnerabilities. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates before we proceed or we will be wasting our time.

DO NOT install Service pack 2 yet. If you install SP 2 on an infected machine it will cause serious problems. Just get Service Pack 1 installed then come back here and post a new Hijack This log.

[Zach Oldenburg]

Logfile of HijackThis v1.99.1
Scan saved at 7:03:52 PM, on 3/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\SAVScan.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\System32\msiexec.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\BearShare\BearShare.exe
E:\Documents and Settings\All Users\Desktop\Hijackthis\HijackThis.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Secretmaker\secretmaker.exe
E:\Program Files\Trillian\trillian.exe
E:\Program Files\Secretmaker\ClearProg.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Ad Annihilator - {A1C18A7B-55E9-4DA3-A880-D112C791A9D8} - E:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BearShare] "E:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Trillian.lnk = E:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SECRETMAKER.lnk = E:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: [Add to organizer] - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3250
O8 - Extra context menu item: [Block this banner] Ctrl+Alt+B - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3245
O8 - Extra context menu item: [Block this popup] Ctrl+Alt+K - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3256
O8 - Extra context menu item: [Find blocking filter] Ctrl+Alt+F - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3254
O8 - Extra context menu item: [Find this resource in resource list] Ctrl+Alt+L - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3253
O8 - Extra context menu item: [Locate target document] - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3255
O8 - Extra context menu item: [Open all links] - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3247
O8 - Extra context menu item: [Resume resource loading] Ctrl+Alt+R - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3251
O8 - Extra context menu item: [Show/hide menu and toolbars] Ctrl+Alt+M - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3252
O8 - Extra context menu item: [Unblock this banner] Ctrl+Alt+U - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3246
O8 - Extra context menu item: [Unblock this popup] Ctrl+Alt+A - res://E:\Program Files\Ad Annihilator\AdAnnihilator.dll/3257
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ad Annihilator Options - {6715FB17-6DC8-4ff8-8CED-9BEFC28E2704} - E:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {6715FB17-6DC8-4ff8-8CED-9BEFC28E2704} - E:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra button: (no name) - {BB15D76F-6189-4c89-A9F8-CED4F9D01328} - E:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {BB15D76F-6189-4c89-A9F8-CED4F9D01328} - E:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O20 - Winlogon Notify: Control Panel - E:\WINDOWS\system32\e4jm0e11eh.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe





I noticed alot of proccesses were running, so I closed them like usual. Just the ones I wasn't really using. Bearshare, MSN, etc.

[Flrman1]

* Click here to download Look2Me-Destroyer.exe and save it to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message:
  • Done removing infected files! Look2Me-Destroyer will now shutdown your computer
• Click OK then your computer will shutdown.
• Wait 60 seconds then turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX