ad-aware hang

My athlon was hijacked and every time I run adware it hangs up. I did disable my mcafee. You guys helped me through this stuff in March with my HP. I went through all the postings we did back then to try and resolve the issue before posting again. I have spybot, ad-aware, hjt & cwshredder installed. I cannot seem to get adaware to run. We were hijacked by coolwebsearch. Thanks.
Phyllis

 

Also, I can't defrag my c drive the message is "it is read only "

 

First, download the latest versions of Ad-aware and CWShredder........they have both been updated since March. After installing the new Ad-aware, check for updates, then reboot to safe mode. Open CWShredder and click fix. Then run Ad-aware in full scan mode. If it completes, delete all it finds.

CWShredder.exe Version 1.59.1

Ad-aware SE Personal Edition 1.05 in my signature.

 

Hi Dave my hero! I do have the latest updates on cwshredder & ad-aware. I'll reboot to safe mode and following your directions. Be back in a few minutes. Thank you.
Phyllis

 

Igot it into safe mode and ran cwshredder, but ad-aware keeps hanging up on documents & settings\dan\temp.
I cancel the scan and go into the folder and delete whatever file I see it it getting hung up on, but I'm doing this now for thje 6th time.

 

Boot back to safe mode, logging on to the Admin account. Open docs and settings\dan\local settings\temp, select all and delete. Do this for all usernames. **Must be set to show hidden files and folders, as local settings is a hidden folder. Open C:Temp if present, as well as C:\Windows\Temp, select all and delete. If using XP, open C:\Windows\Prefetch, select all and delete. Open My computer, right click Local Disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK. Then try running Ad-aware again.

 

ok, I accomplished that task and deleted alot of coolweb stuff. I have folders that I can't delete listed under programs. When I attempt to delete them it tells me it can't. There are little folder icons but nothing readable under them-black blocks and weird symbols. How do I get rid of them? I can't run a disk defrag also, it says my c drive is read only.

 

I have similar problems (and a thread somewhere) Not only does ADaware hang, but AVG and Spybot - in fact any of the programs I need hang and I have to hard reboot. If I don't run anything that threatens the virus - the PC works ok.

 

If you boot to safe mode as Dave suggests, you can remove the problems. Run the programs in the order he suggests.

 

Hi Phyllis,

Did you try deleting those folder icons in safe mode? Logged to the Admin account in safe mode? If still no go, right click and choose properties. Uncheck the read only attribute if present and OK. Then try to cut and paste it to another location, such as in C: and try deleting again. If nothing works, see if you can email me a copy of each file. PM me for addy.

silverwork,

My suggestion to you is to do an online scan with RAV, click the report button and copy/paste it to a reply in a new thread. Along with that, dwnload HijackThis.exe from here. Save it to a permanent folder (I create a new folder in C:\ named HJT). Open and click scan, then save log. Once it is saved it will open in notepad. Select all from the edit button, copy and paste the results. Don't fix anything with it yet!

 

Dave, Here's by HJT log 1. Thank you. I'll go to the rav now.


Logfile of HijackThis v1.97.7
Scan saved at 7:30:07 PM, on 10/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dan Sodroski\Desktop\Adware and Spybot\HijackThis.exe
C:\Documents and Settings\Dan Sodroski\Desktop\Adware and Spybot\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Ad-Aware] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe "
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Flhthew] C:\WINNT\system32\t?skmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O15 - Trusted Zone: http://www.sealsbunker.com
O15 - Trusted Zone: http://*.suprnova.org

 

Phyllis, someone has put Kazaa on that system. My usual response to that follows.

You are or were using Kazaa. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use Add/Remove Program to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'.
P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns. You may also want to run KazaaBegone to completely purge it from the system. Make sure to get the available LSPFix, just in case. Additionally, there is another new 'nasty' virus using P2P networks to spread itself. More here.

Fix this entry with HJT and then delete that file. Be sure to get the correct one, as there is also a taskmgr.exe in that folder.


O4 - HKCU\..\Run: [Flhthew] C:\WINNT\system32\t?skmgr.exe

You will need to empty the recycle bin too. Reboot when done and post a new log along with the RAV results.

 

RAV I don't understand this site. I'm getting a message that the download center is closed. As far as Kazaa is concerned, will we lose the music files when we remove Kazaa? The P2P networking will this prevent both my pc's from communicating or interfer with the boys battlefield and other on-line games? Lastly, I saw bit torrent on here and thought it was game related. I'm still working on the "move on boot" it's slow and I see no pattern to a success or failure. Thanks so much

 

Removed Kazaa & p2p via add/remove programs from control panel. No success with move on boot or dr. delete. Did not see Altnet anywhere. Tell me how to stop spybot from running when I boot up the pc please. Thank you.

Logfile of HijackThis v1.97.7
Scan saved at 9:19:09 AM, on 10/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINNT\system32\t?skmgr.exe
C:\Documents and Settings\Dan Sodroski\Desktop\Adware and Spybot\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Ad-Aware] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe "
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O15 - Trusted Zone: http://www.sealsbunker.com
O15 - Trusted Zone: http://*.suprnova.org

 

Hi Phyllis. I'll leave most of this to one of the security guys but for now

- you should have seen that removing Kazaa & P2P didn't have much effect on stuff you already have.

- you are running an old version of Hijackthis and need to download the newest one. I think 1.98.2 is still current. Qukcklinks in my signature should direct you there.

O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix

- Running HJT, doing a scan, and checking the above for removal should stop Spybot running at startup without hurting anything else.

- Take a look at the the thumbnail for what you need to do to make RAV run a scan for you.

 

Thanks Newt! On the thumbnail, I did click to continue and not subscribe; perhaps I need clearer instructins after that point because I always end up being told the download center is closed and I don't see where I can scan my pc on line-only files.

 

Now, what about these files and folders I can't move, delete, rename or anything? And, my defrag issue. I can't defrag my harddrive, it states the drive is read only?

 

I just tried to run a scan from there and I think the site is busted. Try a google search for online virus scan and both Housecall & Panda are good online scanners that aren't having the problems RAV is these days.

For the defrag issue, first thing I'd try is to Take Ownership of the C drive and see if it behaves then.

For the strange-named files/folders that you can't do anything with, more information if you would. There is a great trick for deleting things that resist deletion Here but I think in your situation now it might be a little confusing. If you would open windows explorer and drill down to one of the problem items, take a screen shot, and email that to me I'll post the picture and try to give you specifics for getting rid of it.

To do a screen shot, when you have windows explorer open to the problem area, press the Print Scr / Sys Rq key which will put a copy of the screen picture in your clipboard. Paste that into the picture editing program of your choice (and Microsoft Paint if you don't have a regular picture editor), save the picture, and attach it to email.

 

I couldn't send anything through the bbs email. I dont have the option. I'll search for housecall & panda. I've tried dr. delete and move on boot to remove these files/folders but have been unsuccessful. I'm glad that someone else found out that the RAV wasn't working because i thought I was really inept! Take ownership of the c drive. Hummm.... When I attempt to defrag, the message is that my c drive is read only.

 

It's always something...I went to panda and upon requesting scan on line the message was my browser was not supported that it needs ie 4.0 or better. I ran into this yesterday. I have ie 6.0 installed. Is there something in my internet tools I need to change? I disabled my mcafee. Oh, and when I post to this bbs, I always have to click the link "if you are not automatically ....click here." I never had that before so I'm sure something needs to be unchecked in my internet options...but which one?? Also, I'm running windows 2000 the links you gave me apply to xp. Thank you.