Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Removing Inqwire


  • Please log in to reply
13 replies to this topic

#1 Flakman

Flakman

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 07 November 2005 - 11:18 PM

Hi all

I am infected with the Inqwire adware program, I have run Spybot search and distroy and Ad-aware. Both find problems and fix them but the Inqwire popup adds keep coming back. I have checked my start programs and run areas of my registry and find nothing abnormal and no weird run programs that I can determin.

Logfile of HijackThis v1.99.1
Scan saved at 8:11:29 PM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\W-L~1\LOCALS~1\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://viaarena.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120011187156
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

Any help would be much appreciated. This is the log after running both Spybot and Ad-aware. Let me know if you need more.

Thanks in advance

Opps, I just realized this is in the wrong forum. Admin please move

Edited by Flakman, 07 November 2005 - 11:33 PM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:16 PM

Posted 09 November 2005 - 11:56 AM

Hi and Welcome to bleeping computer!! Posted Image

My name is David Posted Image

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.

There is a bit to do on the log - i can almost guaruntee ewido will remove something - it's also a good free tool to keep in your arsenal! :thumbsup:

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :flowers:
David

#3 Flakman

Flakman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 09 November 2005 - 09:35 PM

First I would like to thank you for your fast reply.

The ewido program did indeed find some stuff, I posted the log below. This program is excellent thanks for sharing it. :thumbsup:


ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:27:05 PM, 11/9/2005
+ Report-Checksum: DECE6E6C

+ Scan result:

:mozilla.11:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.12:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.13:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.14:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.15:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.23:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.34:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.35:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.36:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.37:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.48:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.52:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.53:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.54:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.55:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.87:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.88:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.89:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.90:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.91:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.92:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.93:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.94:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.95:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.96:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.97:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.108:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.109:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.110:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.112:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.128:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.135:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.136:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.137:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.138:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.139:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.142:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.143:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.144:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.145:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.148:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.161:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.162:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.163:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.164:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.165:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.166:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.167:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.168:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.169:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.174:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.175:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.176:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.177:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.178:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.179:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.180:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.181:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.185:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.186:C:\Documents and Settings\W - L\Application Data\Mozilla\Firefox\Profiles\ypl6xjet.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@ehg-ati.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\W - L\Cookies\w - l@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup

#4 Flakman

Flakman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 09 November 2005 - 10:06 PM

I realized that my browser was open wile I was running ewido. And Inqwire was open in it, so I closed the browser and ran it again and it came up with another entry.

I posted this log in case it might help.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:53:10 PM, 11/9/2005
+ Report-Checksum: D1EBAA25

+ Scan result:

C:\Documents and Settings\W - L\Cookies\w - l@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup


::Report End

#5 Flakman

Flakman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 09 November 2005 - 11:54 PM

I apologize, I needed to include a new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 8:50:12 PM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\DOCUME~1\W-L~1\LOCALS~1\Temp\Temporary Directory 11 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://viaarena.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120011187156
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:16 PM

Posted 10 November 2005 - 05:42 PM

Well the log is clean - what is telling you that you are infected? Have you tried seeing if it can be removed from add/remove programs in the control panel perhaps?

David

#7 Flakman

Flakman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 10 November 2005 - 09:39 PM

Well the log is clean - what is telling you that you are infected? Have you tried seeing if it can be removed from add/remove programs in the control panel perhaps?

David


I'll be crusing the net then without warning I'll get a flood of these annoying Inqwire popups. It doesn't seem to matter what web site I'm on eather. I searched the net with google and saw alot of people with this infection came here for this kind of thing.

I have checked Add/Remove and found nothing abnormal, I also checked the registry for abnormal Run entrys, checked msconfig for any strange startup programs or services.

Now I'm wondering if one of the websites I visit is triggering this somehow since you dont see anything.

Anyway thanks David for checking for me, You have a great site here and a wonderful program, Maby I need to install spyblaster to block this web site. God I hate these people.
:thumbsup:

Thank you very much for your time and help.

William

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:16 PM

Posted 11 November 2005 - 11:44 AM

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

David

#9 Gankaku

Gankaku

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 13 November 2005 - 05:32 PM

I just wanted to say thanks for recommending ewido. I ran it today and it found over 400 instances of spyware on my computer. I regularly run Adaware, Spybot S&D, and Spyware Blaster, and keep Spyware Guard running at all times. Even together, these have not protected me, and they would not find or remove Inqwire or Zado spyware that was on my system.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:16 PM

Posted 14 November 2005 - 05:36 AM

:thumbsup:

Any progress Flakman?

David

#11 Flakman

Flakman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 14 November 2005 - 09:33 PM

:thumbsup:

Any progress Flakman?

David


Sorry, been busy

I still havn't had time to run the program. One thing I have noticed is one site I visit seems to trigger this. I can go to sites all nignt and wont see Inqwire but eather during visiting that site or right after it happens. I may write them off.

I should have time to run it later this week. I apologize for the delay.

Edited by Flakman, 14 November 2005 - 09:35 PM.


#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:16 PM

Posted 15 November 2005 - 04:37 AM

No problem, take your time! :thumbsup:

#13 Flakman

Flakman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 28 November 2005 - 12:01 AM

Had an emergancy and had to leave town for bit. Everything is ok now so had a chance to play with the problem a little more.

Not sure what fixed it but I haven't seen Inqwire in over a week now after running that last program you posted in safe mode, so thank you for that.

I appreciate all your help and apologize for not posting earlier.

Thanks again
William

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:16 PM

Posted 28 November 2005 - 12:40 PM

Ok! Glad i was able to help you! :thumbsup:

The log is clean! :flowers:

If i have helped you please consider making a donation using the "make a donation" button in my signature. My help is free, but please consider it to keep me fighting spyware for you and others! :trumpet: :inlove:

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users