Jump to content


Photo

Adaware starts then closes


  • Please log in to reply
8 replies to this topic

#1 expat83

expat83

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 14 August 2006 - 07:45 PM

I have a customer PC with a strange problem.
First I could not install Adaware at all - the install closed immediately.
I booted into safe mode (XP Home) and then I could do the install.
I ran a scan and Adaware found some bad items which I deleted.

After booting normally I tried to run the tool again.

It starts OK, shows "loading definitions" and when this completes the
tool closes immediately.

Any idea would be helpful.

HijackThis shows nothing alarming. BHO shows all in green and a norton
online scan shows nothing of interest.

Thanks for any help

expat83

#2 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 14 August 2006 - 10:26 PM

Hi

Does Ad-Aware SE stay on the screen until you start to scan? If so could you try starting Ad-Aware SE, then click on the gear icon, then click on the tweak button. On the right-hand side under tweak settings click on the plus sign to expand scanning engine section and then deselect i.e. is a red cross the item "unload recognized processes and modules during scan". Click on the proceed button to save the settings then try running a scan. Can you run a scan now? If so please post a copy of the scan log file.

If Ad-Aware SE still closes straight away can you post a copy of the HijackThis log as this contains a list of running processes it would be useful to see what is running at the time.

#3 expat83

expat83

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 15 August 2006 - 06:51 AM

Hi

Does Ad-Aware SE stay on the screen until you start to scan? If so could you try starting Ad-Aware SE, then click on the gear icon, then click on the tweak button. On the right-hand side under tweak settings click on the plus sign to expand scanning engine section and then deselect i.e. is a red cross the item "unload recognized processes and modules during scan". Click on the proceed button to save the settings then try running a scan. Can you run a scan now? If so please post a copy of the scan log file.

If Ad-Aware SE still closes straight away can you post a copy of the HijackThis log as this contains a list of running processes it would be useful to see what is running at the time.


Hi,

No, it closes immediately after "loading definitions" - no chance to select anything.
I'll get a log file from the customer and paste it in here later.
Thanks for your input!
Regards
expat83

#4 expat83

expat83

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 15 August 2006 - 01:31 PM

Hi,

No, it closes immediately after "loading definitions" - no chance to select anything.
I'll get a log file from the customer and paste it in here later.
Thanks for your input!
Regards
expat83



OK, here is the log file of hijackthis.
Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:49:04, on 15.08.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Programme\Windows Defender\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\programme\zango\zango.exe
D:\CK Popup Killer 2.2\PKILL.EXE
C:\Programme\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Programme\Executive Software\DiskeeperLite\DKService.exe
C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Programme\Canon\CAL\CALMAIN.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Programme\Outlook Express\msimn.exe
C:\Dokumente und Einstellungen\Harald Müller.HARALD-DKW8UT4O\Desktop\Tools von PC-Pannendienst\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
F3 - REG:win.ini: run= ,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Programme\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D67C5F7B432B3CCF - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programme\zango\zangohook.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Programme\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zango] "c:\programme\zango\zango.exe"
O4 - HKCU\..\Run: [CK POPUP KILLER] D:\CK Popup Killer 2.2\PKILL.EXE -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Programme\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Programme\Registry Cleaner Trial\Regclean.exe" -startminimize
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: BHODemon 2.0.lnk = C:\Programme\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {E1787777-8760-4509-BCFC-18F70ECE1C74} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {E1787777-8760-4509-BCFC-18F70ECE1C74} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1155380085031
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HARALD-DKW8UT40
O17 - HKLM\Software\..\Telephony: DomainName = HARALD-DKW8UT40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HARALD-DKW8UT40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HARALD-DKW8UT40
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS.0\system32\viruxz.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Programme\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

#5 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 16 August 2006 - 09:07 AM

Hi

There are some suspect programs running. Some malware items target Ad-Aware SE to prevent themselves being removed, maybe we have one of these. Could you confirm if you are using the free version Ad-Aware SE Personal or one of the purchased versions Plus or Professional? I would need to check if a setting is available in Personal if you are using that.

In the mean time can you remove two items using HijackThis.

First please install HijackThis to a folder rather than on your desktop. If you need help with this please see this post:

http://www.lavasofts...p?showtopic=216

This will ensure that we can reverse any changes made using HiajckThis.

Then close all running applications and browser windows etc and start HijackThis. Place a check against each of these two items:

O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D67C5F7B432B3CCF - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programme\zango\zangohook.dll

O4 - HKLM\..\Run: [zango] "c:\programme\zango\zango.exe"



Then click on Fix Checked and exit HijackThis. Reboot the PC and see if Ad-Aware SE will now start. Please post an update and let us know which version of Ad-Aware SE you are running.

#6 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 16 August 2006 - 12:55 PM

To add to Ad Astra's steps, Please go to the Control Panel and look in Add/Remove programs. If this is listed, please highlight it and remove from there:

zango <---remove via Add/Remove programs
.............................................
That PC also had a Smitfraud Hijacker as I see a sign of it in the log at the 021 section. Please run this free tool to remove it and post the requested logs back here:

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free...mitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

How to extract (decompress) zipped or compressed files
http://www.lvsonline...tut/index.shtml

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


2. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

Logs needed in your next post are:

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

Fresh HijackThis log
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#7 expat83

expat83

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 18 August 2006 - 10:25 AM

Hi

There are some suspect programs running. Some malware items target Ad-Aware SE to prevent themselves being removed, maybe we have one of these. Could you confirm if you are using the free version Ad-Aware SE Personal or one of the purchased versions Plus or Professional? I would need to check if a setting is available in Personal if you are using that.

In the mean time can you remove two items using HijackThis.

First please install HijackThis to a folder rather than on your desktop. If you need help with this please see this post:

http://www.lavasofts...p?showtopic=216

This will ensure that we can reverse any changes made using HiajckThis.

Then close all running applications and browser windows etc and start HijackThis. Place a check against each of these two items:

>>>>>>>>>>>

He is running the free version of AdawareSE Perssonal

Thanks / expat83

>>>>>>>>>>>>>>


O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D67C5F7B432B3CCF - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programme\zango\zangohook.dll

O4 - HKLM\..\Run: [zango] "c:\programme\zango\zango.exe"

Then click on Fix Checked and exit HijackThis. Reboot the PC and see if Ad-Aware SE will now start. Please post an update and let us know which version of Ad-Aware SE you are running.



#8 expat83

expat83

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 18 August 2006 - 10:34 AM

Hi,

Thanks for the great input. I'll pass this on to the customer. I don't think he'll want to
pay to have me come over and do all this stuff and his English is good enough to get
through it.
Regards and thanks

expat83

#9 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 20 August 2006 - 10:44 AM

Hi

Please post back how they get on and if they can then run Ad-Aware SE once they have removed the items as described above.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users