Help - Search - Members - Calendar
Full Version: New user needs help with results
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive General Support Issues
newuser
Nov 6 2006, 07:37 PM
I am running windows XP professional with ad-aware se plus, using the built in xp firewall and norton anti-virus corp edition.

I am new to all of this and would appreciate some help on how to interpret/decipher the results from the software.

( 1) Below is the AWstats.txt report from Adwatch. Is there any place in Adaware or Adwatch that can give me more details on "browser hijack attempts blocked" ? It seems strange given I took my pc into a pc shop to clean out any viruses. The pc supposdely came back clean yesterday. If I run NAV today, no viruses picked up.

I have run Adaware and no spyware/critical objects are found.

Summary (11/6/2006 1:46:51 PM)
---------------------------------------
Internal Events : 143
Popups Blocked : 16
Tracking Cookies Blocked : 5
Other Registry Events Blocked : 87
Browser Hijack Attempts Blocked : 14
Processes Blocked : 0
Accepted : 1
Blocked : 100
Total Ad-Watch Events : 265


(2) I have also pasted the results from the Awevlog, is there a place in the help menu that will breakdown exactly what I am looking at.

11/6/2006 12:36:57 PM> Registry modification detected
11/6/2006 12:36:57 PM>
11/6/2006 12:36:57 PM> Root:HKEY_CURRENT_USER
11/6/2006 12:36:57 PM> Key:Software\Microsoft\Internet Explorer\SearchUrl
11/6/2006 12:36:57 PM> Value:provider
11/6/2006 12:36:57 PM> Data:
11/6/2006 12:36:57 PM> New Data:
11/6/2006 12:36:57 PM>
11/6/2006 1:17:48 PM> Registry modification detected
11/6/2006 1:17:48 PM>
11/6/2006 1:17:48 PM> Root:HKEY_CURRENT_USER
11/6/2006 1:17:48 PM> Key:Software\Microsoft\Internet Explorer\SearchUrl
11/6/2006 1:17:48 PM> Value:provider
11/6/2006 1:17:48 PM> Data:
11/6/2006 1:17:48 PM> New Data:
11/6/2006 1:17:48 PM>
11/6/2006 1:26:09 PM> Registry modification detected
11/6/2006 1:26:09 PM>
11/6/2006 1:26:09 PM> Root:HKEY_CURRENT_USER
11/6/2006 1:26:09 PM> Key:Software\Microsoft\Internet Explorer\SearchUrl
11/6/2006 1:26:09 PM> Value:provider
11/6/2006 1:26:09 PM> Data:
11/6/2006 1:26:09 PM> New Data:
11/6/2006 1:26:09 PM>
11/6/2006 1:41:56 PM> Registry modification detected
11/6/2006 1:41:56 PM>
11/6/2006 1:41:56 PM> Root:HKEY_CURRENT_USER
11/6/2006 1:41:56 PM> Key:Software\Microsoft\Internet Explorer\SearchUrl
11/6/2006 1:41:56 PM> Value:provider
11/6/2006 1:41:56 PM> Data:
11/6/2006 1:41:56 PM> New Data:
11/6/2006 1:41:56 PM>
11/6/2006 1:41:56 PM> Registry modification detected
11/6/2006 1:41:56 PM>
11/6/2006 1:41:56 PM> Root:HKEY_CURRENT_USER
11/6/2006 1:41:56 PM> Key:Software\Microsoft\Internet Explorer\SearchUrl
11/6/2006 1:41:56 PM> Value:provider
11/6/2006 1:41:56 PM> Data:
11/6/2006 1:41:56 PM> New Data:
11/6/2006 1:41:56 PM>
sad.gif

Thanks so much and please excuse my ignorance on these matters. Any help would be greatly appreciated
newuser
Nov 7 2006, 02:55 PM
Each time I launch I.E ver 7.0 Ad-watch registers and blocks a browser hijack attempt:

Summary (11/7/2006 9:06:56 AM)
---------------------------------------
Internal Events : 158
Popups Blocked : 16
Tracking Cookies Blocked : 5
Other Registry Events Blocked : 87
Browser Hijack Attempts Blocked : 76
Processes Blocked : 0
Accepted : 1
Blocked : 162
Total Ad-Watch Events : 342

I have been told by my local tech shop that I do not need to worry given Ad-aware is doing its job. I am not comfortable with this answer given there should be no browser hijack attempts if the machine was clean and my built in windows Xp firewall keeps disabling itself. If I go to control panel>admin tools>services and manually try switch it on, I get a a error message and not able to do so.

I have pasted the hijack this log trying to look for anything suspicious but really need some help interpreting the results.

Any help would be greatly appreciated

Logfile of HijackThis v1.99.1
Scan saved at 9:03:34 AM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.sympatico.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gisweb7.city.vancouver.bc.ca/download/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124749315203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca_dom
O17 - HKLM\Software\..\Telephony: DomainName = ca_dom
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ca_dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ca_dom
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe



Thanks
spike-nz
Nov 9 2006, 11:28 AM
Hi newuser,

Is your Ad-Watch set to Automatic, rather than Active?

Click to view attachment

Notice the green tick and the red cross.

With Automatic, all changes to your system are silently blocked - good for people that rarely install/change/uninstall programs or updates. However, the flipside is that it also blocks intentional changes, including setting your search-page.

In Active mode, whenever a change is detected, Ad-Watch pops-up an alert window - if you have just made a change (including any MS updates), read the alert to make sure what it refers to, and Accept . If the alert appears when you have not initiated any changes, read what the alert is about, then Block the change (unless you recognise it).

An intermediate setting would be Automatic most of the time, with a manual change to Active when you are making changes to, or updating, your system - then manually change back to Automatic. This calls for you to remember to change the modes every time you install/update/unistall, and is not very practical.

As I am always tinkering with my system, I leave it set to Active, but always read the alerts carefully...
You also wouldn't keep blocking the same change, as in your post.

Regards,

Spike
LS CalamityJane
Nov 12 2006, 11:07 PM
I merged your posts into one topic. Did you see spike-nz's answer above newuser?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.