[coljung]

like a month ago i turn on my computer and to my surprise all the shortcuts on the pc were not working and also some exe files were not responding. i dont know what trojan or virus causes this but it had happened to me a few months ago, then i had solved the problem by adding to the registry 2 keys related to exe files and shortcut files (.lnk).

anyway, so i had the files around and solved the problem easily.

now, since then, every time i run Ad watch, as soon as it loads i get an alarm with this info:

Key:SOFTWARE\Classes\exefile\shell\open\command
Value:
Data:
New Data: "%1"%*

im sure this was what f.....d my pc last time.

so i press block but it just keeps coming, and if i put it on automatic it will go on and on until i stop the program.

then if i restart the pc after all of this, i will have the same problem again, even if i blocked the [bleep] thing.

now, i dont know why but this only happens when i run ad-watch. for the last month i havent used it and have got no problems at all, but as soon as i open it i start getting that alarm.

i always found ad-watch very useful but now i can't use it. i've tried checking my pc for trojans or viruses to see if there's something interfearing with this program but i have yet to find something malicious on my computer.

so please any help would be appreciated.

[Advertisements]

Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.

[Kat]

Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.

[coljung]

Logfile of HijackThis v1.99.1
Scan saved at 12:42:30 AM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Utilidades\NoAds\NoAds.exe
C:\Program Files\utilidades\MeteoMedia\WeatherEye.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Utilidades\Defrag Professional\oodcnt.exe
C:\PROGRA~1\INTERNET\FIREFOX\FIREFOX.EXE
C:\Program Files\utilidades\5 Clicks\Spider.exe
C:\Documents and Settings\pablo\Desktop\Shortcuts\Util\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Diseno\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\utilidades\MeteoMedia\WeatherEye.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{327632E3-7A70-48BA-BA87-F30568211A2B}: NameServer = 206.47.244.91 206.47.244.50
O17 - HKLM\System\CS1\Services\Tcpip\..\{327632E3-7A70-48BA-BA87-F30568211A2B}: NameServer = 206.47.244.91 206.47.244.50
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTSvcCDA.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

[coljung]

one thing is that i only get the problem when i run ad-watch, that's why i posted on the other forum.....

[Michelle]

That is the default data for that registry value. However, I would like you to keep it blocked because I want to see what exactly is in that key right now.

Please do this for me:

Go to Start > Run. Copy the below line and paste it into the box:

regedit /e c:\shell.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell"

Click OK.

Navigate to C:\shell.txt, open it, and copy the contents and paste them into your next reply.

[coljung]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\AU6]
@="Uninstall with Advanced Uninstaller"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\AU6\command]
@="C:\\Program Files\\utilidades\\Advanced Uninstaller PRO 2003 version 6\\uninstaller.exe %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Debug]
@="&Debug"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Debug\command]
@="C:\\BC5\\BIN\\bcw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Debug\ddeexec]
@="IDE.DebugLoad(\"%1\");"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Debug\ddeexec\Application]
@="BCW"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Debug\ddeexec\ifexec]
@="IDE.DebugLoad(\"%1\");"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Debug\ddeexec\topic]
@="System"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\runas]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\runas\command]
@="\"%1\" %*"

There you go.

[Michelle]

Have you opened Ad-Watch and browsed around? There should be some kind of option to ignore things.

[coljung]

no, even if i choose the block option, it will still change my registry.

whatever it is, only happens when i run ad-watch.

[Michelle]

The way your registry is right now is perfectly fine!

If you choose block it still changes your registry? So, how is it not changed then?

[coljung]

yes the registry is prefectly fine up until i open ad-watch.

even if i choose the block option it will modify the registry.

after opening ad-watch and restarting the computer the problem comes back ( no shortcuts or exe files working ).

BUT it only happens when i run adwatch, which is supposed to block registry modification, instead, its through it that something is modifying my registry.

Another thing is that when it happens, my startup list is completely deleted.

[Michelle]

Actually, the only thing modifying the registry is Ad-Watch - there isn't any malware doing that. It's trying to change it back to the default, which will screw up your exe files because it only changes one value instead of all of them.

As you said the registry is perfectly fine until you run Ad-Watch, which means there isn't anything malicious modifying the registry otherwise it would have done it when Ad-Watch wasn't running. Unfortunatelly, Ad-Watch is the curlprit in this case. So, you can either uninstall Ad-Watch and try re-installing it to see if that will take care of the problem or get rid of it altogether.

[coljung]

yeah, i should have done that a while ago, i'll install it again and will post back soon.


thanks

[Michelle]

If you choose to get rid of it completely, I have recommendations for anti-spyware programs that work very well

[coljung]

i'm open for suggestions....

[Michelle]

First and foremost, you need an anti-virus program. I strongly recommend AVG - it's free and it works great.

Then these are anti-spyware programs - I recommend using ALL of them:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= YES, it is available for Firefox!).