Adware keeps coming back.
-
Adware keeps coming back.
I have deleted tons of stuff with adaware and ewido, but it keeps coming back 
Can someone check out this log please:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 4:36:33 PM, 2/15/2006
+ Report-Checksum: 47DE7A1D
+ Scan result:
HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\UCmore - The Search Accelerator -> Adware.UCmore : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1995843397-1201935746-1235320694-1002\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1995843397-1201935746-1235320694-1002\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1995843397-1201935746-1235320694-1002\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
[248] C:\Program Files\NewDotNet\newdotnet6_38.dll -> Adware.NewDotNet : Cleaned with backup
[696] C:\Program Files\NewDotNet\newdotnet6_38.dll -> Adware.NewDotNet : Error during cleaning
[1192] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Cleaned with backup
[1176] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
[1220] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
[1252] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
[1276] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
[1300] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
[1320] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
[1340] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
[1428] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
[1448] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
[1460] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
[1896] C:\WINNT\Q0NOWQ\command.exe -> Adware.CommAd : Cleaned with backup
[1936] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
[1184] C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Error during cleaning
C:\WINNT\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINNT\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINNT\Q0NOWQ\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINNT\Q0NOWQ\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINNT\system32\wd2_32.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\wuauclt.dll -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\staff\Cookies\staff@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\staff\Cookies\staff@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\staff\Cookies\staff@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\staff\Cookies\staff@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 4:41:20 PM, on 2/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\nav32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\xload.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINNT\RACLE~1\regedit.exe
C:\Documents and Settings\staff\My Documents\M?crosoft.NET\w?nword.exe
C:\WINNT\FSScrCtl.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\Q0NOWQ\command.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\staff\Local Settings\Temp\wz389\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ccny.cuny.edu/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://pelican.admin.ccny.cuny.edu/"); (C:\Documents and Settings\staff\Application Data\Mozilla\Profiles\default\ooqmnrhc.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\staff\Application Data\Mozilla\Profiles\default\ooqmnrhc.slt\prefs.j s)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd8.exe
O4 - HKLM\..\Run: [susse] "C:\WINNT\system32\hpsw.exe"
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban6.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\windows\winsysban6.exe
O4 - HKLM\..\Run: [xload] "C:\WINNT\xload.exe"
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
O4 - HKCU\..\Run: [Rsis] "C:\WINNT\RACLE~1\regedit.exe" -vt mt
O4 - HKCU\..\Run: [Tnioszzl] C:\Documents and Settings\staff\My Documents\M?crosoft.NET\w?nword.exe
O4 - Startup: Slide Show.lnk = C:\SLIDESHW\WALLPAPR.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.adextension.com
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.gimmysmileys.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.proben.nu
O15 - Trusted Zone: *.snet.ms
O15 - Trusted Zone: *.snet.tc
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.snipernet.us
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.yoursitebar.com
O15 - Trusted Zone: *.zango.com
O15 - Trusted Zone: *.zangocash.com
O15 - Trusted Zone: *.adextension.com (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.gimmysmileys.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.proben.nu (HKLM)
O15 - Trusted Zone: *.snet.ms (HKLM)
O15 - Trusted Zone: *.snet.tc (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.snipernet.us (HKLM)
O15 - Trusted Zone: *.sxload.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.yoursitebar.com (HKLM)
O15 - Trusted Zone: *.zango.com (HKLM)
O15 - Trusted Zone: *.zangocash.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124743511609
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5EC2E40-A37B-466A-805D-0B6B3AB2AB3A}: NameServer = 134.74.166.100,134.74.128.7
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: Reliability - C:\WINNT\system32\wd2_32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q0NOWQ\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINNT\nav32.exe
-
You really need to setup a dedicated folder for HJT items – to avoid horrible clutter and potential lost backup issues.
It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.
Create a new folder in your C: Drive. Name it HJT (or HijackThis) such as C:\Program Files\HJT, C:\HJT and move the HijackThis.exe file in it. Run HJT from there (and revise your shortcut accordingly).
NEWDOTNET Removal: Open the Control Panel’s Add/Remove Programs list and remove any found entries for:
‘New.net domains’ (B variant) such as NewDotNet,
‘FirstLook’ (FirstLook variant),
QuickSearch Toolbar’ (QuickSearch variant).
If the above options are unavailable or are ineffective, try looking in the Program Files\NewDotNet folder for an EXE uninstaller:
(* = any additional pattern of characters)
*Unins*.EXE; unins*.EXE; Unwise.EXE
(copy and use this exact keywords list in a file search of the relevant FOLDER, if needed)
If more than one uninstaller is present, try the installer with the highest version number in its name.
Download deldomains:
http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.
Note: Because this will remove all entries in both the Trusted Zone and the Restricted Zone, any program, tool, or settings that were previously used to set restrictions will need to be reset:
Examples: (if these are being used),- Spybot's "Immunize" feature is affected, you will need to re-immunize
- SpywareBlaster's "Enable all protection" feature will have to be re-enabled
- IE-SPYADS will have to be reinstalled
REBOOT.
Run the Ewido scan again and post the log that it creates.
REBOOT and post a revised HJT log.
Last edited by VopThis; 16-02-2006 at 12:50 AM.
