Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Adware.Webdir [RESOLVED]

  • This topic is locked This topic is locked




  • Member
  • PipPip
  • 48 posts

im having a problem with spyware and adware. normally my computer is completely clean, and i use spybot, adaware, spyware blaster and webroot spysweeper for anti-spyware things. i also have my univeristy antivirus (symantec) installed and running.

recently however, symantec keeps finding this thing called webdir.dll that it cant delete. and it just leaves the files alone. it seemed like the infection was in system restore files so i turned that off, but i think it's still there.
and NONE of my anti-spyware programs find anything at all! it's really weird, but i was wondering if you guys could help me with this problem.....

heres a symantec report. another weird thing is that my primary action is to quarantine and then delete if unsuccessful. this is doing nothing about the threat.:

Risk~~~~~~~~~~~~~~Action~~~~~~~~~Filename~~~~~~~~~~Original Location

Adware.WebDir~~~~~~Left alone~~~~~~~A0014838.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP80\

Adware.WebDir~~~Pending Analysis~~~~~~A0014838.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP80\

Adware.WebDir~~~~Left alone~~~~~~~~~~pxwma.dll~~~~~~~~~~C:\WINDOWS\
Adware.WebDir~~Pending Analysis~~~~~~~~pxwma.dll~~~~~~~~~C:\WINDOWS\
Adware.WebDir~~~~Left alone~~~~~~~~~~pxwma.dll~~~~~~~~~~C:\WINDOWS\
Adware.WebDir~~Pending Analysis~~~~~~~~pxwma.dll~~~~~~~~~C:\WINDOWS\
Adware.WebDir~~~~Left alone~~~~~~~~~~pxwma.dll~~~~~~~~~~C:\WINDOWS\
Adware.WebDir~~Pending Analysis~~~~~~~~pxwma.dll~~~~~~~~~~C:\WINDOWS\

i can post a HJT log below. for reference, anything with "maxtor" or "retrospect" has to do with an external harddrive...

Logfile of HijackThis v1.99.1
Scan saved at 1:33:16 PM, on 10/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Mirza Qalamdun\Desktop\HAD\PTW.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\DOCUME~1\MIRZAQ~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthisnew.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Prayer.lnk = C:\Documents and Settings\Mirza Qalamdun\Desktop\HAD\PTW.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\MIRZAQ~1\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

thanks in advance
  • 0




    Member 2k

  • Retired Staff
  • 2,744 posts
Hi tmod2000,

Your log looks clean.. :tazz:

This can be a false positive as that filename belongs to an adware file as well as a legitimate file by Sonic Solutions. Let's do this, manually navigate to the file


right click on the file and choose properties.. then post back with the information under the version tab..
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 48 posts

thanks for your reply

the file you specified doesn't exist, not even as a hidden file.

if my log is clean then im happy :tazz: just one more thing, microsoft antispyware has recognized three separate things having to do with host files:

Windows Hosts File alert

Occurred on: 10/27/2005 at 2:30:01 PM

The user has decided to block the entry www.visitfind.net pointing to IP address from being added to the Windows Hosts file.


Windows Hosts File alert

Occurred on: 10/26/2005 at 1:53:15 PM

The entry as.casalemedia.com pointing to IP address has been automatically been denied permission to be added to the Windows Hosts file. This Hosts file change was blocked based on your previous input.


Windows Hosts File alert

Occurred on: 10/25/2005 at 8:47:43 AM

The user has decided to block the entry as.casalemedia.com pointing to IP address from being added to the Windows Hosts file.

are these anything bad?
  • 0



    Member 2k

  • Retired Staff
  • 2,744 posts
Sorry for not replying sooner, somehow I wasn't notified of your message..

You can let Microsoft Antispyware allow those. When an entry is put into the hosts file, such as, www.visitfind.net is the ip of your local computer (not your ip when you go online, that's different)

When an entry is put into the hosts file, two adresses side by side, when you want to go to the adress on the right you will be redirected to the adress on the left. To restrict access to certain sites, is used to redirect to your own computer, thus you won't be able to access that site.. :tazz:
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 48 posts
ok thank you very much!
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 48 posts
oh it seems as if i cant find out how to let microsoft antispyware allow those.....any advice or should i just let it be?
  • 0



    Member 2k

  • Retired Staff
  • 2,744 posts
If you were installing a hosts file such as Spybot's or another one, you may need to temporarily disable Microsoft Antispyware..

Open Microsoft AntiSpyware.
Click on Options, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After done, reenable those by reversing to steps above..
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 48 posts
ok thank you very much! thanks for all your help!
  • 0



    Member 2k

  • Retired Staff
  • 2,744 posts
Ok, you weren't infected, but still I will post a prevention speech, at least for the benefit of all else reading this topic. :tazz:

Please take the following into consideration to maintain a clean computer.

Now you should go get a firewall. Don't rely on the Windows firewall as it monitors only incoming traffic. Pick one of these, they are all free.

I'll also recommend you to install a monitoring software which will monitor certain areas on your computer and will place alerts when those are being modified. One such software I'll recommend is Prevx, but it's for advanced users as the messages it displays can be hard to decipher. One other similar but more user friendly software is Winpatrol. Both are free programs.



Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?


  • 0



    Member 2k

  • Retired Staff
  • 2,744 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP