• Announcements

    • Andrew Browne

      Support for other products than adaware, ad block and Web Companion

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock


      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/

Sign in to follow this  
Followers 0
expat83

Adaware starts then closes

9 posts in this topic

I have a customer PC with a strange problem.

First I could not install Adaware at all - the install closed immediately.

I booted into safe mode (XP Home) and then I could do the install.

I ran a scan and Adaware found some bad items which I deleted.

 

After booting normally I tried to run the tool again.

 

It starts OK, shows "loading definitions" and when this completes the

tool closes immediately.

 

Any idea would be helpful.

 

HijackThis shows nothing alarming. BHO shows all in green and a norton

online scan shows nothing of interest.

 

Thanks for any help

 

expat83

Share this post


Link to post
Share on other sites

Hi

 

Does Ad-Aware SE stay on the screen until you start to scan? If so could you try starting Ad-Aware SE, then click on the gear icon, then click on the tweak button. On the right-hand side under tweak settings click on the plus sign to expand scanning engine section and then deselect i.e. is a red cross the item "unload recognized processes and modules during scan". Click on the proceed button to save the settings then try running a scan. Can you run a scan now? If so please post a copy of the scan log file.

 

If Ad-Aware SE still closes straight away can you post a copy of the HijackThis log as this contains a list of running processes it would be useful to see what is running at the time.

Share this post


Link to post
Share on other sites
Hi

 

Does Ad-Aware SE stay on the screen until you start to scan? If so could you try starting Ad-Aware SE, then click on the gear icon, then click on the tweak button. On the right-hand side under tweak settings click on the plus sign to expand scanning engine section and then deselect i.e. is a red cross the item "unload recognized processes and modules during scan". Click on the proceed button to save the settings then try running a scan. Can you run a scan now? If so please post a copy of the scan log file.

 

If Ad-Aware SE still closes straight away can you post a copy of the HijackThis log as this contains a list of running processes it would be useful to see what is running at the time.

 

Hi,

 

No, it closes immediately after "loading definitions" - no chance to select anything.

I'll get a log file from the customer and paste it in here later.

Thanks for your input!

Regards

expat83

Share this post


Link to post
Share on other sites
Hi,

 

No, it closes immediately after "loading definitions" - no chance to select anything.

I'll get a log file from the customer and paste it in here later.

Thanks for your input!

Regards

expat83

 

 

OK, here is the log file of hijackthis.

Thanks!

 

Logfile of HijackThis v1.99.1

Scan saved at 10:49:04, on 15.08.2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS.0\System32\smss.exe

C:\WINDOWS.0\system32\winlogon.exe

C:\WINDOWS.0\system32\services.exe

C:\WINDOWS.0\system32\lsass.exe

C:\WINDOWS.0\system32\svchost.exe

C:\Programme\Windows Defender\MsMpEng.exe

C:\WINDOWS.0\System32\svchost.exe

C:\WINDOWS.0\Explorer.EXE

C:\WINDOWS.0\system32\spoolsv.exe

C:\WINDOWS.0\sm56hlpr.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\programme\zango\zango.exe

D:\CK Popup Killer 2.2\PKILL.EXE

C:\Programme\Messenger\msmsgs.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

D:\Programme\Executive Software\DiskeeperLite\DKService.exe

C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS.0\System32\svchost.exe

C:\Programme\Canon\CAL\CALMAIN.exe

C:\WINDOWS.0\system32\wuauclt.exe

C:\Programme\Outlook Express\msimn.exe

C:\Dokumente und Einstellungen\Harald Müller.HARALD-DKW8UT4O\Desktop\Tools von PC-Pannendienst\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/de/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

F3 - REG:win.ini: run= ,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Programme\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D67C5F7B432B3CCF - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programme\zango\zangohook.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Programme\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS.0\system32\NeroCheck.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [zango] "c:\programme\zango\zango.exe"

O4 - HKCU\..\Run: [CK POPUP KILLER] D:\CK Popup Killer 2.2\PKILL.EXE -hide

O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Programme\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [Registry Cleaner] "C:\Programme\Registry Cleaner Trial\Regclean.exe" -startminimize

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Startup: BHODemon 2.0.lnk = C:\Programme\BHODemon 2\BHODemon.exe

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)

O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {E1787777-8760-4509-BCFC-18F70ECE1C74} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {E1787777-8760-4509-BCFC-18F70ECE1C74} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1155380085031

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HARALD-DKW8UT40

O17 - HKLM\Software\..\Telephony: DomainName = HARALD-DKW8UT40

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HARALD-DKW8UT40

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HARALD-DKW8UT40

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll

O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS.0\system32\viruxz.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Programme\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

Hi

 

There are some suspect programs running. Some malware items target Ad-Aware SE to prevent themselves being removed, maybe we have one of these. Could you confirm if you are using the free version Ad-Aware SE Personal or one of the purchased versions Plus or Professional? I would need to check if a setting is available in Personal if you are using that.

 

In the mean time can you remove two items using HijackThis.

 

First please install HijackThis to a folder rather than on your desktop. If you need help with this please see this post:

 

http://www.lavasoftsupport.com/index.php?showtopic=216

 

This will ensure that we can reverse any changes made using HiajckThis.

 

Then close all running applications and browser windows etc and start HijackThis. Place a check against each of these two items:

 

O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D67C5F7B432B3CCF - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programme\zango\zangohook.dll

 

O4 - HKLM\..\Run: [zango] "c:\programme\zango\zango.exe"

 

 

Then click on Fix Checked and exit HijackThis. Reboot the PC and see if Ad-Aware SE will now start. Please post an update and let us know which version of Ad-Aware SE you are running.

Share this post


Link to post
Share on other sites

To add to Ad Astra's steps, Please go to the Control Panel and look in Add/Remove programs. If this is listed, please highlight it and remove from there:

 

zango <---remove via Add/Remove programs

.............................................

That PC also had a Smitfraud Hijacker as I see a sign of it in the log at the 021 section. Please run this free tool to remove it and post the requested logs back here:

 

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

Share this post


Link to post
Share on other sites
Hi

 

There are some suspect programs running. Some malware items target Ad-Aware SE to prevent themselves being removed, maybe we have one of these. Could you confirm if you are using the free version Ad-Aware SE Personal or one of the purchased versions Plus or Professional? I would need to check if a setting is available in Personal if you are using that.

 

In the mean time can you remove two items using HijackThis.

 

First please install HijackThis to a folder rather than on your desktop. If you need help with this please see this post:

 

http://www.lavasoftsupport.com/index.php?showtopic=216

 

This will ensure that we can reverse any changes made using HiajckThis.

 

Then close all running applications and browser windows etc and start HijackThis. Place a check against each of these two items:

 

>>>>>>>>>>>

 

He is running the free version of AdawareSE Perssonal

 

Thanks / expat83

 

>>>>>>>>>>>>>>

 

 

O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D67C5F7B432B3CCF - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programme\zango\zangohook.dll

 

O4 - HKLM\..\Run: [zango] "c:\programme\zango\zango.exe"

Then click on Fix Checked and exit HijackThis. Reboot the PC and see if Ad-Aware SE will now start. Please post an update and let us know which version of Ad-Aware SE you are running.

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for the great input. I'll pass this on to the customer. I don't think he'll want to

pay to have me come over and do all this stuff and his English is good enough to get

through it.

Regards and thanks

 

expat83

Share this post


Link to post
Share on other sites

Hi

 

Please post back how they get on and if they can then run Ad-Aware SE once they have removed the items as described above.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0