[bobbyp]

Recently, during a bought of malware infection, AdAware stopped functioning. I always run it then Spybot Search and Destroy in safe mode. During this infection of HTML.Bloon.E and other malware such as CoolWWWSearch AdAware would start, begin loading definitions then stop responding (Ctrl+Alt+Delete would show this). I have tried uninstalling and reinstalling numerous times. I have tried going back to version 1.05. I have done a regestry clean with a regestry clean and fix program. Miekiemoes at Bleeping Computer and I both have wracked our brains trying to fix this problem (see http://www.bleepingc...tml#entry158505 for a complete listing of what we have tried. Can anyone help?

Bob

[Advertisements]

Hi Bob and welcome

We enjoy Miekiemoes company here at G2G as well

What version do you currently have installed now ?

[don77]

Hi Bob and welcome

We enjoy Miekiemoes company here at G2G as well

What version do you currently have installed now ?

[miekiemoes]

Hi Bob, you were supposed to post in the adaware-part of this forum.

http://www.geekstogo...-aware-f62.html

They know better what causes the Adaware Se not loading at the beginning.

[bobbyp]

Miekiemoes,

Hi! Wow, you sure must be busy to be lending help in two different forums.

Anyway, upon my arrival here I found this:

"Please use the malware forum for support
Due to the lack of participation we've decided to close the Lavasoft Support forum. Please use our malware forum for issues related to Adaware, or visit the official support site.

This forum has been closed and is READ ONLY."

Hence, this is the reason I am posting my issues in this forum.

Now the bad news... as I ran Spybot search and destroy last night 3 CoolWWWSearch files were found. I had Spybot Search and Destroy delete them.
I don't know if my teenaged boys are going somewhere on the net that is re-infecting my computer or if we missed something because it lay hidden somewhere (I am betting on the kids being the reason).

Bob

[bobbyp]

Sorry Don... I forgot to post which version I am running... AdAware 1.06.

I also tried 1.05 again with no success.

Bob the builder

[miekiemoes]

Ok; let's start with a new hijackthislog then... let's see if there is still something lurking there.

Does your spybot S&D come up clean now afterwards?

[bobbyp]

Here is the new (as of about two mins. ago) HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 4:08:18 PM, on 8/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\IMAGEMATE COMPACTFLASH USB\SANDICON.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPDARC.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - http://mycampus.phoe...load/CVALAX.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci...6.1.7_en_dl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab

The most recent spybot S&D scan found 11 items and deleted them all, two of which where CoolWWWSearch items. I didn't save a report but I can say that the items that were found by Spybot S&D yesterday were not on there today.

I have a question... is it normal for Spybot S&D to take almost 12 hours to run (in safe mode)? It didn't used to take this long, and I am using the most up-to-date version which is supposed to run scans faster.

Bob the builder

[bobbyp]

More bad news (for me). Firefox will not allow sign-ins to MSN, nor will it allow me access to any of the features suchs as HELP, TOOLS ect.

Bob the builder

[miekiemoes]

Hi Bob, I still can't find anything suspicious though..

You may check and fix next entry in hijackthis:

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)

It seems like you deleted/uninstalled spywareguard?

No it isn't normal that spybot takes so long to scan. Is there any particular file/folder that needs a long time to scan?

About your firefox, yes that's normal that you can't login into msn... firefox works different than IE. That's why we still tell people when they install firefox, they don't delete/uninstall IE because IE is still needed to vist/login some sites. Also for windowsupdate you have to use IE, because you can't perform it with firefox.

[bobbyp]

Hi Miekiemoes,

The download protection for Spyware Guard was turned off. I noticed this shortly after posting the HJT log and I have since turned it on.

Firefox didn't use to prevent any attempt to sign in to MSN https://mycampus.phoenix.edu/. I have used it many times to sign into both, especially my student website at University of Phoenix.

As for S&D, it seems to have a fondness for CoolWWWSearch since most of the time scanning is spent on the various forms CoolWWWSearch takes.


Bob the builder

[don77]

Hi Bob and Mie,
Mind if I jump back in for a second here,

Did a little digging on this and came up with the following,

Go to Add/Remove programs and remove Ad-aware SE
Next navigate to Program files and delete the Lavasoft folder

Next -
Go Here
Download Ad-aware SE 1.06,
Disable "ZoneAlarm" "Spyware Guard " "ETRUST EZ ANTIVIRUS"
Check your system tray and make sure you have nothing else running while setting it up, Once it set up check for web updates, If you get it to update, Go ahead and run a scan, Try normal mode first if no luck try safe mode.

Just be sure and enable everything back on before heading out on the net again
Let us know how you make out

[bobbyp]

Don,

I just tried this...

Rebooted in safe mode

Uninstalled both AdAware and Firefox from (using) Add/Remove programs

Made sure no files existed for Lavasoft and Mozilla by doing a Find Files or Folders

Re-installed BOTH while in safe made with new back-up copies less than a week old each

Started AdAware from the propt screen when installing it without viewing help files or updating... it ran fine

Rebooted to normal... AdAware still stops responding after or during the load definitions... FireFox still freezes up (also stops responding).

I am beginning to think it is not a problem with something being on my puter stopping these programs, but rather a possibility there is something missing.

Bob the builder

[don77]

OK, Lets see if we can update the def's for Ad-aware manually and see if that makes a difference ( I think we just made some progess, you weren't able to run it at all in safe mode prior correct ? )

Go Here and unzip the recent def files to to the Ad-aware SE Personal folder.

Open Ad-aware and see if it will run now

[bobbyp]

Don...

Sorry, Adaware still doesn't run, and Firefox is now running limitedly... any use of Firefox's tool bar options causes a freeze, as well as using any radio button on screen.

Bob

[don77]

Hi Bob
sorry to leave you hanging,

Lets see if we can see something from an Ad-aware log,

Run it from safe mode
Select "Perform Full System Scan" and press "Next". When the scan has completed, click "Show Logfile"

Copy and past the log file here for me please

Edit:
Could you first disable,"ZoneAlarm" "Spyware Guard " "ETRUST EZ ANTIVIRUS" and Tea Timer please, See if you can run Ad-aware in normal mode, If not go ahead and run in safe mode and post back the log for me please

Edited by don77, 23 August 2005 - 05:26 PM.