LS_Magnum

Members
  • Content Count

    16
  • Joined

  • Last visited

Community Reputation

0 Neutral

1 Follower

About LS_Magnum

  • Rank
    Member
  1. Thank you for reporting this. Our malware lab will have a look at it as soon as possible. / Magnum [quote name='tommills' post='120959' date='Jul 10 2010, 06:54 PM']Hi my last scan of this file show it as a webHancer and i need to know if it's a false positive or not any help would be appreciated. I have uploaded the file in zip with a password of infected and here is the scan log. Thanks, Tommills Logfile created: 7/10/2010 13:34:10 Ad-Aware version: 8.3.0 Extended engine: 3 Extended engine version: 3.1.2770 User performing scan: user *********************** Definitions database information *********************** Lavasoft definition file: 150.6 Genotype definition file version: 2010/07/09 07:17:03 Extended engine definition file: 6565.0 ******************************** Scan results: ********************************* Scan profile name: Context menu scan (ID: contextmenuscan) Objects scanned: 2 Objects detected: 1 Type Detected ========================== Processes.......: 0 Registry entries: 0 Hostfile entries: 0 Files...........: 1 Folders.........: 0 LSPs............: 0 Cookies.........: 0 Browser hijacks.: 0 MRU objects.....: 0 Quarantined items: Description: c:\windows\web\wallpaper\welcome\awhelper.dll Family Name: webHancer Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 2dcaa711c9b64ff6cdeba93202b4f408 Scan and cleaning complete: Finished correctly after 0 seconds *********************************** Settings *********************************** Scan profile: ID: contextmenuscan, enabled:1, value: Context menu scan ID: folderstoscan, enabled:1, value: ID: useantivirus, enabled:1, value: true ID: sections, enabled:1 ID: scancriticalareas, enabled:1, value: false ID: scanrunningapps, enabled:1, value: false ID: scanregistry, enabled:1, value: false ID: scanlsp, enabled:1, value: false ID: scanads, enabled:1, value: false ID: scanhostsfile, enabled:1, value: false ID: scanmru, enabled:1, value: false ID: scanbrowserhijacks, enabled:1, value: false ID: scantrackingcookies, enabled:1, value: false ID: closebrowsers, enabled:0, value: false ID: filescanningoptions, enabled:1 ID: archives, enabled:1, value: true ID: onlyexecutables, enabled:1, value: false ID: skiplargerthan, enabled:1, value: 20480 ID: scanrootkits, enabled:1, value: false ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict ID: usespywareheuristics, enabled:1, value: true Scan global: ID: global, enabled:1 ID: addtocontextmenu, enabled:1, value: true ID: playsoundoninfection, enabled:1, value: false ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav Scheduled scan settings: <Empty> Update settings: ID: updates, enabled:1 ID: launchthreatworksafterscan, enabled:1, value: silently, domain: normal,off,silently ID: licenseandinfo, enabled:1, value: dontcheck, domain: dontcheck,downloadandinstall ID: schedules, enabled:1, value: true ID: updatedaily1, enabled:1, value: Daily 1 ID: time, enabled:1, value: Fri Oct 16 17:29:00 2009 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily2, enabled:1, value: Daily 2 ID: time, enabled:1, value: Fri Oct 16 23:29:00 2009 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily3, enabled:1, value: Daily 3 ID: time, enabled:1, value: Fri Oct 16 05:29:00 2009 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily4, enabled:1, value: Daily 4 ID: time, enabled:1, value: Fri Oct 16 11:29:00 2009 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updateweekly1, enabled:1, value: Weekly ID: time, enabled:1, value: Fri Oct 16 17:29:00 2009 ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: true ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: true ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall Appearance settings: ID: appearance, enabled:1 ID: skin, enabled:1, value: Default.eGL, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource ID: showtrayicon, enabled:1, value: true ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language ID: autoentertainmentmode, enabled:1, value: false ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple Realtime protection settings: ID: realtime, enabled:1 ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant ID: layers, enabled:1 ID: useantivirus, enabled:1, value: true ID: usespywareheuristics, enabled:1, value: true ID: modules, enabled:1 ID: processprotection, enabled:1, value: true ID: registryprotection, enabled:1, value: false ID: networkprotection, enabled:1, value: false ID: onaccessprotection, enabled:1, value: false ****************************** System information ****************************** Computer name: userMAIN Processor name: Intel® Pentium® D CPU 3.20GHz Processor identifier: x86 Family 15 Model 6 Stepping 2 Processor speed: ~3200MHZ Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 1538, number of processors 2, processor features: [MMX,SSE,SSE2] Physical memory available: 819298304 bytes Physical memory total: 2145820672 bytes Virtual memory available: 1913425920 bytes Virtual memory total: 2147352576 bytes Memory load: 61% Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Windows startup mode: Running processes: PID: 728 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY PID: 816 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY PID: 864 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY PID: 908 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY PID: 920 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY PID: 1092 name: C:\WINDOWS\system32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY PID: 1128 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1196 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1320 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1384 name: C:\WINDOWS\system32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY PID: 1492 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1576 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1652 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY PID: 1748 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY PID: 1860 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1900 name: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY PID: 1912 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY PID: 1932 name: C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLHNService.exe owner: SYSTEM domain: NT AUTHORITY PID: 284 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 372 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY PID: 464 name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe owner: SYSTEM domain: NT AUTHORITY PID: 480 name: C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe owner: SYSTEM domain: NT AUTHORITY PID: 496 name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE owner: SYSTEM domain: NT AUTHORITY PID: 528 name: C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe owner: <UNKNOWN> domain: <UNKNOWN> PID: 632 name: C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe owner: SYSTEM domain: NT AUTHORITY PID: 664 name: C:\WINDOWS\system32\ScsiAccess.EXE owner: SYSTEM domain: NT AUTHORITY PID: 648 name: C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe owner: SYSTEM domain: NT AUTHORITY PID: 1180 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1252 name: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe owner: <UNKNOWN> domain: <UNKNOWN> PID: 1444 name: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE owner: SYSTEM domain: NT AUTHORITY PID: 1628 name: C:\WINDOWS\system32\SearchIndexer.exe owner: SYSTEM domain: NT AUTHORITY PID: 2152 name: C:\Program Files\Windows Media Player\WMPNetwk.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 2824 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY PID: 3244 name: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe owner: SYSTEM domain: NT AUTHORITY PID: 3544 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY PID: 3556 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 2768 name: C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe owner: <UNKNOWN> domain: <UNKNOWN> PID: 3644 name: C:\WINDOWS\Explorer.EXE owner: user domain: userMAIN PID: 2116 name: C:\Program Files\ATI Technologies\ATI.ACE\cli.exe owner: user domain: userMAIN PID: 2548 name: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe owner: user domain: userMAIN PID: 2432 name: C:\HP\KBD\KBD.EXE owner: user domain: userMAIN PID: 2268 name: C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe owner: user domain: userMAIN PID: 2368 name: C:\WINDOWS\system32\hphmon06.exe owner: user domain: userMAIN PID: 2448 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: user domain: userMAIN PID: 2556 name: C:\WINDOWS\RTHDCPL.EXE owner: user domain: userMAIN PID: 3756 name: C:\Program Files\Common Files\Java\Java Update\jusched.exe owner: user domain: userMAIN PID: 2616 name: C:\Program Files\iTunes\iTunesHelper.exe owner: user domain: userMAIN PID: 2876 name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe owner: user domain: userMAIN PID: 1540 name: C:\WINDOWS\system32\ctfmon.exe owner: user domain: userMAIN PID: 116 name: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe owner: user domain: userMAIN PID: 720 name: C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe owner: user domain: userMAIN PID: 764 name: C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe owner: user domain: userMAIN PID: 3932 name: C:\Program Files\Windows Media Player\WMPNSCFG.exe owner: user domain: userMAIN PID: 3632 name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe owner: user domain: userMAIN PID: 2308 name: C:\Program Files\Logitech\SetPoint\SetPoint.exe owner: user domain: userMAIN PID: 3660 name: C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE owner: user domain: userMAIN PID: 4896 name: c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe owner: user domain: userMAIN PID: 5072 name: C:\Program Files\iPod\bin\iPodService.exe owner: SYSTEM domain: NT AUTHORITY PID: 5496 name: C:\Program Files\ATI Technologies\ATI.ACE\cli.exe owner: user domain: userMAIN PID: 6092 name: c:\windows\system\hpsysdrv.exe owner: user domain: userMAIN PID: 404 name: C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe owner: user domain: userMAIN PID: 5360 name: C:\Program Files\Mozilla Firefox\firefox.exe owner: user domain: userMAIN PID: 5544 name: C:\Program Files\Mozilla Firefox\plugin-container.exe owner: user domain: userMAIN PID: 4176 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: user domain: userMAIN PID: 5888 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe owner: user domain: userMAIN PID: 4484 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: user domain: userMAIN Startup items: Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1} imagepath: Browseui preloader Name: {8C7461EF-2B13-11d2-BE35-3078302C2030} imagepath: Component Categories cache daemon Name: PostBootReminder imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9} Name: CDBurn imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9} Name: WebCheck imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED} Name: SysTray imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153} Name: WPDShServiceObj imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5} Name: DWQueuedReporting imagepath: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t Name: ATICCC imagepath: "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay Name: HPHUPD08 imagepath: c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe Name: Name: PCDrProfiler Name: HPBootOp imagepath: "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run Name: HP Software Update imagepath: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Name: PCDrSmartMonitor imagepath: "C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" -r Name: KBD imagepath: C:\HP\KBD\KBD.EXE Name: Logitech Hardware Abstraction Layer imagepath: KHALMNPR.EXE Name: ISUSPM imagepath: "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler Name: SymLnch imagepath: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\LnchStub.exe Name: HPDJ Taskbar Utility imagepath: C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe Name: HPHmon06 imagepath: C:\WINDOWS\system32\hphmon06.exe Name: RecoverFromReboot imagepath: C:\WINDOWS\Temp\RecoverFromReboot.exe Name: RTHDCPL imagepath: RTHDCPL.EXE Name: Alcmtr imagepath: ALCMTR.EXE Name: AppleSyncNotifier imagepath: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe Name: Adobe Reader Speed Launcher imagepath: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Name: Adobe ARM imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Name: QuickTime Task imagepath: "C:\Program Files\QuickTime\QTTask.exe" -atboottime Name: SunJavaUpdateSched imagepath: "C:\Program Files\Common Files\Java\Java Update\jusched.exe" Name: iTunesHelper imagepath: "C:\Program Files\iTunes\iTunesHelper.exe" Name: TkBellExe imagepath: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot Name: imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk imagepath: C:\Program Files\Logitech\SetPoint\SetPoint.exe Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk imagepath: C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe Bootexecute items: Name: imagepath: autocheck autochk * Name: imagepath: lsdelete Running services: Name: ALG displayname: Application Layer Gateway Service Name: Apple Mobile Device displayname: Apple Mobile Device Name: Ati HotKey Poller displayname: Ati HotKey Poller Name: AudioSrv displayname: Windows Audio Name: BITS displayname: Background Intelligent Transfer Service Name: Bonjour Service displayname: Bonjour Service Name: Browser displayname: Computer Browser Name: CLHNService3 displayname: CLHNService3 Name: CryptSvc displayname: Cryptographic Services Name: DcomLaunch displayname: DCOM Server Process Launcher Name: Dhcp displayname: DHCP Client Name: dmserver displayname: Logical Disk Manager Name: Dnscache displayname: DNS Client Name: ERSvc displayname: Error Reporting Service Name: Eventlog displayname: Event Log Name: EventSystem displayname: COM+ Event System Name: FastUserSwitchingCompatibility displayname: Fast User Switching Compatibility Name: helpsvc displayname: Help and Support Name: HidServ displayname: HID Input Service Name: HTTPFilter displayname: HTTP SSL Name: iPod Service displayname: iPod Service Name: JavaQuickStarterService displayname: Java Quick Starter Name: lanmanserver displayname: Server Name: lanmanworkstation displayname: Workstation Name: Lavasoft Ad-Aware Service displayname: Lavasoft Ad-Aware Service Name: LightScribeService displayname: LightScribeService Direct Disc Labeling Service Name: LmHosts displayname: TCP/IP NetBIOS Helper Name: LVPrcSrv displayname: Process Monitor Name: MDM displayname: Machine Debug Manager Name: Netman displayname: Network Connections Name: NIS displayname: Norton Internet Security Name: Nla displayname: Network Location Awareness (NLA) Name: PlugPlay displayname: Plug and Play Name: PolicyAgent displayname: IPSEC Services Name: ppped displayname: PowerPanel Personal Edition Service Name: ProtectedStorage displayname: Protected Storage Name: RasMan displayname: Remote Access Connection Manager Name: RemoteRegistry displayname: Remote Registry Name: RpcSs displayname: Remote Procedure Call (RPC) Name: SamSs displayname: Security Accounts Manager Name: Schedule displayname: Task Scheduler Name: ScsiAccess displayname: ScsiAccess Name: SeaPort displayname: SeaPort Name: seclogon displayname: Secondary Logon Name: SENS displayname: System Event Notification Name: SharedAccess displayname: Windows Firewall/Internet Connection Sharing (ICS) Name: ShellHWDetection displayname: Shell Hardware Detection Name: Spooler displayname: Print Spooler Name: srservice displayname: System Restore Service Name: SSDPSRV displayname: SSDP Discovery Service Name: stisvc displayname: Windows Image Acquisition (WIA) Name: Symantec Core LC displayname: Symantec Core LC Name: TapiSrv displayname: Telephony Name: TermService displayname: Terminal Services Name: Themes displayname: Themes Name: TrkWks displayname: Distributed Link Tracking Client Name: upnphost displayname: Universal Plug and Play Device Host Name: W32Time displayname: Windows Time Name: WebClient displayname: WebClient Name: winmgmt displayname: Windows Management Instrumentation Name: wlidsvc displayname: Windows Live ID Sign-in Assistant Name: WMPNetworkSvc displayname: Windows Media Player Network Sharing Service Name: wscsvc displayname: Security Center Name: WSearch displayname: Windows Search Name: wuauserv displayname: Automatic Updates Name: WZCSVC displayname: Wireless Zero Configuration [attachment=8197:awhelper.dll.zip][/quote]
  2. [quote name='pickles' post='120928' date='Jul 10 2010, 04:34 AM']Hello everyone! I've been using the " I-HATE-KEYLOGGERS " program pretty much since it came out. I have also been using AD-AWARE for a few years. Recently (about a week ago, I'd say) , AD-AWARE has been starting scans automatically because " a malicious process was detected ". The file it finds is " KBHOOKDLL.DLL " It finds this file in C:\WINDOWS\SYSTEM32\KBHOOK.DLL.DLL. It used to classify it in the :"Win32.Monitor.KeyLogger " family and categorize it as a " Monitoring tool " I have upgraded my version of AD-AWARE to VERSION 8.3.0 and now classifies it as " Monitor.Win32.KeyLogger.w" family in the "Surveillance Tool " category. Now, when I choose not to manually start the I-HATE-KEYLOGGERS program, AD-AWARE never starts a scan. Whenever the program is started it almost immediately starts one and finds the KBHOOK.DLL.DLL file. It's clear this file is directly related to the I-HATE-KEYLOGGERS program but is it really dangerous in this context? AD-AWARE gives it a TAI rating of 10!! I also use WEBROOT'S SPYSWEEPER and SPYBOT SEARCH AND DESTROY and neither of these two programs even care about this file. AD-AWARE should have fixed this with a program update somewhere around 2008 from what it says in the following link. [url="http://www.lavasoftsupport.com/index.php?showtopic=19611"]http://www.lavasoftsupport.com/index.php?showtopic=19611[/url] That was two years ago. So i am left to wander, is this a false positive or the real thing? Can someone help? Thank you.[/quote] When posting a false positive (FP) notification, you will help us identify the FP more quickly by following the below guidelines: 1. Upload the log file of the scan that detected the FP. Log files (XP, Vista and 7) are located in: Ad-Aware 2008 users C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs\Ad-Aware<date information>.log Ad-Aware AE users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Ad-Aware 8.1 users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log To upload the file, click on the Browse button within your post, navigate to the log file's location, select the file then click the green UPLOAD button. 2. If the detected application is downloadable, provide a link to the download location. 3. If you have access to the detected file, upload it as described above, however, please be sure to zip your file first and use the password infected since the forum will not accept the upload of .exe files or renamed .exe files. If the detected file is not available, then a copy of the file from quarantine will suffice. (Please, use an application like 7-Zip, ZipCentral or your preferred compression program to zip your file.) Thanks!
  3. [quote name='tommills' post='118511' date='Apr 2 2010, 02:51 AM']Hi new to the forum here so apologies if i am not in the right place for this topic. I am wondering if the latest def update has found false positives on these files they appear to have been on my computer for a couple years. They were detected as Win32.TrojanDownloader.Agent I am attaching the hijackthis log as well as ad aware log file after full system scan. I'm running windows xp pro sp3 ad aware free version 8.2.2 Thanks for any help in determining if these are false positives.[/quote] Hi Tommills. If you have access to the detected file(s) could you please upload it? However, please be sure to zip your file first and use the password infected since the forum will not accept the upload of .exe files or renamed .exe files. If the detected file is not available, then a copy of the file from quarantine will suffice. (Please, use an application like 7-Zip, ZipCentral or your preferred compression program to zip your file.) Thanks!
  4. [quote name='mtbrider1' post='118068' date='Mar 17 2010, 07:15 PM'][attachment=7922:adaware.txt] When I run Adaware it finds a win32.trojandropper.delf file that it deletes from within the Trixx files. The computer will not run without the file and on another older topic another user had flagged up the trojandropper file deletion as being a problem within itunes. Is it a false detection? or is there a problem with the trixx files. I used the original cd that can with the motherboard to load it onto my computer. I think I have attached the txt file generated.[/quote] Thank you for your post. To upload the file, click on the Browse button within your post, navigate to the log file's location, select the file then click the green UPLOAD button. If you have access to the detected file, upload it as described above, however, please be sure to zip your file first and use the password infected since the forum will not accept the upload of .exe files or renamed .exe files. If the detected file is not available, then a copy of the file from quarantine will suffice. (Please, use an application like 7-Zip, ZipCentral or your preferred compression program to zip your file.) Thanks!
  5. [quote name='dubinm' post='117754' date='Mar 7 2010, 01:47 PM']Hi: I am new to these forums and was advised by tech support to post here about the false positives I have been getting on full scans since version 8.2 was released a few weeks ago. I did reply to another post on this but decided to create a new topic since the other might not be noticed. Sorry for the double posting, but again I am new here. Anyway, at the advice of tech support, I have uploaded the scan log file showing the four false positives from the last full scan I did on friday. Thanks in advance for your support in resolving this issue. [attachment=7892:Scan_201...19_16_17.log][/quote] Hello Thank you for reporting this issue. Could I please ask you to zip and upload the detected file. Regards LS Johan
  6. [quote name='karthik' post='116733' date='Feb 16 2010, 07:41 PM']Hello, Yesterday I downloaded & installed the free lavasoft adaware version 8.2. Upon completing the smart scan the adaware program does something to my RegistryEasy program (a program that I use to cleanup my registry; authentic license I purchased from the vendor). Somehow lavasoft adaware detects registyeasy cleaner to be malware. It identifies it as win32.fraudtool.registyeasyXX (a few instances) and cleans/quarantines them. After this I cannot startup the RegistryEasy program, the startup icon even goes missing. I need to know a workaround this. I've already have "regeasycleaner.exe" as a process to be "allowed" in the Adaware "Live Watch!" settings, yet everytime I complete a scan I need to reinstall RegistryEasy again new to make it run. Adaware personnel's solution to this problem was that I can restore the quarantine as it is a false positive. I did so and found my RegistryEasy shortcuts reappeared but I cannot launch the program as it cannot find the folders. I'm guessing Adaware didnt restore properly or not all folder or replaced folders in a diff place? What can I do to get my RegistryEasy program from not being effected by Adaware? Also this solution of restoring quarantine may work this time around. What about when I rerun Adaware some other time, what is to say that Adaware will not quarantine this program again? I see there is an "IgnoreList" option under Scan settings. But I dont know how to specify the exact instances of the family (win32.fraudtool.registryeasy...). Cause looks like there are options to specify folders to ignore during scan but thats not what I want, isnt it? Please Advise. thanks&regards <name removed>, M.Sc. [/quote] Hi Karthik! When posting a false positive (FP) notification, you will help us identify the FP more quickly by following the below guidelines: 1. Upload the log file of the scan that detected the FP. Log files (XP, Vista and 7) are located in: Ad-Aware 2008 users C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs\Ad-Aware<date information>.log Ad-Aware AE users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Ad-Aware 8.1 users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log To upload the file, click on the Browse button within your post, navigate to the log file's location, select the file then click the green UPLOAD button. 2. If the detected application is downloadable, provide a link to the download location. 3. If you have access to the detected file, upload it as described above, however, please be sure to zip your file first and use the password infected since the forum will not accept the upload of .exe files or renamed .exe files. If the detected file is not available, then a copy of the file from quarantine will suffice. (Please, use an application like 7-Zip, ZipCentral or your preferred compression program to zip your file.) Thanks!
  7. [quote name='Janly' post='116723' date='Feb 16 2010, 06:26 PM']I've downloaded a program (Prey-0.3.3-win.exe) from Preyproject.com which is a program to assist in recovering a stolen laptop. However, each time I download it, AAW views it as malware and quarantines it. I go into the Quarantine and select restore. The program comes out of the list, however, it doesn't restore it. Does it send it to another folder other than the original, if so, where? How can I get to restore it back to the original folder? Thanks.[/quote] Hi Janly! When posting a false positive (FP) notification, you will help us identify the FP more quickly by following the below guidelines: 1. Upload the log file of the scan that detected the FP. Log files (XP, Vista and 7) are located in: Ad-Aware 2008 users C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs\Ad-Aware<date information>.log Ad-Aware AE users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Ad-Aware 8.1 users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log To upload the file, click on the Browse button within your post, navigate to the log file's location, select the file then click the green UPLOAD button. 2. If the detected application is downloadable, provide a link to the download location. 3. If you have access to the detected file, upload it as described above, however, please be sure to zip your file first and use the password infected since the forum will not accept the upload of .exe files or renamed .exe files. If the detected file is not available, then a copy of the file from quarantine will suffice. (Please, use an application like 7-Zip, ZipCentral or your preferred compression program to zip your file.) Thanks!
  8. [quote name='_aNDy_' post='116605' date='Feb 14 2010, 12:04 PM']I have an object detected as Win32.Monitor.Ardamax, but I suspect that it is a false alarm. The object itself is HunPoKey.exe, an executable that installs a Hungarian keyboard on a Windows Mobile phone. I downloaded the file from here [url="ftp://www2.tranexp.com/pub/PoK/HunPoKey.exe"]ftp://www2.tranexp.com/pub/PoK/HunPoKey.exe[/url] but it has been while ago, so I am not sure if it is the same as the one on my PC, so I attached the suspected file. I appreciate any information or suggestion. [attachment=7826:Scan_201...12_11_52.log] [attachment=7828:HunPoKey.zip][/quote] Hello Andy Our Malware labs will look into this issue and if it turns out to be a false positive it will be removed from detection. Thank you.
  9. [quote name='thaun' post='114274' date='Dec 12 2009, 11:25 AM']I think that the latest definitions falsely find UpdateInstaller.exe from the application 'WSUS Offline Update' to contain a worm, Sohanad/D. Avira Antivir does not consider it to contain a worm. Greetings Tom[/quote] Hi Tom Thank you for reporting this. Our malware lab will have a look at this as soon as possible. Regards, Johan
  10. [quote name='c.haslam' post='114258' date='Dec 12 2009, 03:12 AM']I think (know?) that the latest definitions falsely find autoit3.exe to contain a worm, Sohanad/D. KAV does not consider it to contain a worm. I have to disable Ad-Watch to be able to run AutoIt scripts. ...chris[/quote] Hi Chris. Thank you for reporting this. When posting a false positive (FP) notification, you will help us identify the FP more quickly by following the below guidelines: 1. Upload the log file of the scan that detected the FP. Log files (XP, Vista and 7) are located in: Ad-Aware 2008 users C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs\Ad-Aware<date information>.log Ad-Aware AE users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Ad-Aware 8.1 users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log To upload the file, click on the Browse button within your post, navigate to the log file's location, select the file then click the green UPLOAD button. 2. If the detected application is downloadable, provide a link to the download location. 3. If you have access to the detected file, upload it as described above, however, please be sure to zip your file first and use the password [b]infected [/b]since the forum will not accept the upload of .exe files or renamed .exe files. If the detected file is not available, then a copy of the file from quarantine will suffice. (Please, use an application like 7-Zip, ZipCentral or your preferred compression program to zip your file.) Thanks!
  11. [quote name='mrossmg' post='113906' date='Dec 2 2009, 11:28 PM']Here is the updated log file[/quote] Thank you, our malware lab will have a look at this as soon as possible.
  12. [quote name='mrossmg' post='113896' date='Dec 2 2009, 07:08 PM']So I recently bough Adaware Pro and did a full system scan it came back with TR/Crypt.XPACK.Gen as a trojan and TR/Dropper.Gen After researching on google for awhile I came across some posts in which people said these were false positives and others in which it said it was a malicious file. I have quarantined both of them but I am afraid that some of my personal data may be at risk because I recently made some online purchases. Should I be advised to cancel my cards/change all my passwords? I have Kaspersky Internet security and Maleware bytes also installed...neither of them showed these files Any information on this threat would be most beneficial thanks![/quote] When posting a false positive (FP) notification, you will help us identify the FP more quickly by following the below guidelines: 1. Upload the log file of the scan that detected the FP. Log files (XP, Vista and 7) are located in: Ad-Aware 2008 users C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs\Ad-Aware<date information>.log Ad-Aware AE users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Ad-Aware 8.1 users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log To upload the file, click on the Browse button within your post, navigate to the log file's location, select the file then click the green UPLOAD button. 2. If the detected application is downloadable, provide a link to the download location. 3. If you have access to the detected file, upload it as described above, however, please be sure to zip your file first - the forum will not accept the upload of .exe files or renamed .exe files. You could use an application like 7-Zip, ZipCentral or your preferred compression program to zip your file. Thanks!
  13. Thank you for reporting this,. Please do the following so that the matter can be investigated,: 1. Upload the log file of the scan that detected the FP. Log files (XP, Vista and 7) are located in: Ad-Aware 2008 users C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs\Ad-Aware<date information>.log Ad-Aware AE users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Ad-Aware 8.1 users XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log To upload the file, click on the Browse button within your post, navigate to the log file's location, select the file then click the green UPLOAD button. If you have access to the detected file, upload it as described above, however, please be sure to zip your file first - the forum will not accept the upload of .exe files or renamed .exe files. You could use an application like 7-Zip, ZipCentral or your preferred compression program to zip your file. Thanks!
  14. Hi, as you have a valid license you are entitled to support either through email or chat. Please contact the support staff once more and tell them your issue was not resolved, they will be more then happy to assist. Log into the support center to access either of these features: http://www.lavasoft.com/support/supportcenter/
  15. The Ad-Aware update server is currently under a lot of stress which is causing updates to run slower then usual. Please be patient and let the download finish. We expect this issue to be resolved shortly.