Jump to content


Photo

AdShooter.SearchForIt will not die!


  • This topic is locked This topic is locked
7 replies to this topic

#1 gphelps

gphelps

    Member

  • New Member
  • Pip
  • 3 posts

Posted 29 July 2004 - 09:28 AM

I run HTAstop, Ad-aware, PestPatrol, Spybot, Spywareblaster, and Spywareguard. I have a firewall from zone alarm and anti-virus program from AVG yet I still have contracted this dang AdShooter.SearchForIt spy ware.

I can delete it with Pest-Patrol and it comes right back. In Spywareblaster it deselects itself so that it is ignored. I can choose to protect against it again then 5-10 min later it is being ignored again.

I frankly am at my wits end. For those of you who will suggest firefox as a replacement for IE .No can do. I am in an online class and the school requires the IE browser, so I am stuck.

So in an attempt to loose this pesky little program I thought I could consult some experts in the area. I have attached my Hijackthis log below.

Logfile of HijackThis v1.97.7
Scan saved at 7:54:15 AM, on 7/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Belkin Sentry Bulldog Plus\upsd.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\EVIDEN~1\ee.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\hijack this\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Evidence Eliminator] C:\PROGRA~1\EVIDEN~1\ee.exe /m
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: RtlWake.lnk = C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8116.6131481482
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab



Any help in this matter is greatly appreciated. Additionally if there are any other useless things in this log I can get rid off I would appreciate that helps as well.

Thanks,
Gary

#2 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 29 July 2004 - 12:20 PM

Hi there!

I'm looking over your log right now to see what needs to be done. I'll be back in a bit.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#3 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 29 July 2004 - 02:46 PM

Is it just Pest Patrol that is detecting AdShooter.SearchForIt or is Ad-Aware and/or Spybot (I'm assuming both are up to date) detecting it as well?

When Pest Patrol detected it, did it say which files and/or registry keys were deleted?

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#4 gphelps

gphelps

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 July 2004 - 08:38 AM

VashonDude,

Only pestpatrol is catching the item currently (Ad-Aware and Spybot are both up to date). There was a bulletin that this was a flaw in pestpatrol that found Microsoft components as this item. I do not think it is a flaw as every time I delete the files using pestpatrol spywareblaster has the inunization for this item turned off and I have to re immunize for it, and it is back in my pestpatrol log.

Perstpatrol gives the following 2 locations in the registry for this item and then deletes them however it just keeps coming back:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C109664B-CEB1-420B-B353-D55A561536DD}

AND

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C109664B-CEB1-420B-B353-D55A561536DD}compatibility flags

The compatibility flags REG_DWORD is set to 0x00000400(1024)

There must he a rogue .dll hiding somewhere for this item to keep replicating after deletion.

Thanks for responding.

Gary

#5 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 30 July 2004 - 11:10 AM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C109664B-CEB1-420B-B353-D55A561536DD}compatibility flags

The compatibility flags REG_DWORD is set to 0x00000400(1024)


That's the killbit set by SpywareBlaster. What's happening is that Pest Patrol is seeing that as an indication of AdShooter.SearchForIt and for whatever reason isn't seeing it as a killbit. See this article for more info.

Are you using the free version of Pest Patrol?

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#6 gphelps

gphelps

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 July 2004 - 01:30 PM

Well heck I feel silly for being such a dufus.

Thanks a ton.

#7 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 30 July 2004 - 02:08 PM

I think you can have Pest Patrol ignore that item by choosing "ignore" when it come up again. You may want to consider removing or disabling Pest Patrol.

I recommend downloading the following programs:

IE-Spyad

MVPS Hosts

These will prevent much of the bad stuff from getting on your computer. They're all free.

For IE-Spyad and MVPS Hosts, check either at their respective web sites or the Software Update forum here for update announcements.

Here's some recommended changes in IE settings that will help protect you.

Go to the Tools menu, then choose Internet Options.

Click on the Privacy tab and click on the Advanced button.

In the box that pops up, check both the Override automatic cookie handling and Always allow session cookies boxes. Set First party cookies to "Allow" and Third party cookies to "Block". Click OK

Go to the Security tab & click the Custom Level button.

The following ActiveX section settings should be changed as follows:
  • Download signed ActiveX controls: Prompt
  • Download unsigned ActiveX controls: Prompt
  • Initialize and script ActiveX controls not marked as safe: Disable
In the Microsoft VM section, set Java Permissions to "High Safety"

In the Miscellaneous section, set Installations of desktop items to "Prompt"

Click on the Advanced tab and uncheck both Install on demand items.

Click on Apply, then OK

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#8 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 27 August 2004 - 02:04 PM

Glad we could help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button