Lavasoft Ad-Aware and other programs

My computer continues to try to install lavasoft Ad-Aware. There is also music or other programs playing in the background. I ran all of the tools and scans and are attaching the logs. I was also not able to run TDSSKiller. Thanks in advance for your help.

 

Hello sbelgard,

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Fix items using HitmanPro
Rescan with HitmanPro and allow HitmanPro to take the default actions on the items it detects.
The repairs should require a reboot, please allow the reboot.
Once you have rebooted, rescan with HitmanPro and attach its latest log.

http://img196.imageshack.us/img196/3557/tdsskiller.gif Attempt to scan with TDSSKiller.
Attach the TDSSKiller log if successful.

 

I am attaching the hitman pro log. I was able to run the tdsskiller program , it would not let me save the report. It said no threats were found. Ran with default settings.

 

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

here is the mglogs file you requested

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Ad-Aware Antivirus
• Java(TM) 6 Update 25
• Java(TM) 7 Update 5

http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

1. R3 - URLSearchHook: (no name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
2. R3 - URLSearchHook: (no name) - {50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - (no file)
3. R3 - URLSearchHook: (no name) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - (no file)
4. R3 - URLSearchHook: (no name) - {462be121-2b54-4218-bf00-b9bf8135b23f} - (no file)
5. O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll (file missing)
6. O3 - Toolbar: (no name) - !{47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
7. O3 - Toolbar: (no name) - !{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - (no file)
8. O3 - Toolbar: (no name) - !{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
9. O3 - Toolbar: (no name) - !{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
10. O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll (file missing)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4


http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:services [/COLOR]
Ad-Aware Service 
[COLOR="DarkRed"]:files[/COLOR]
C:\Program Files (x86)\Ad-Aware Antivirus /d
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ad-Aware Antivirus
C:\Program Files (x86)\WI3C8A~1 /d
C:\user.js
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000000
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know how things are running after you have completed these steps!

 

ad-aware would not uninstall. I am attaching a word document with the error message. Is still trying to install ad-aware

 

Your latest logs show some signs of reinfection

Code:

Locating all files created in "C:\Users\Ann\AppData\Roaming\" within the last 90 days.           
                                                                              
----a-w           372,224 2012-09-04 23:55:00  C:\Users\Ann\AppData\Roaming\hlapi.dll
----a-w           162,816 2012-09-04 23:53:51  C:\Users\Ann\AppData\Roaming\ubdht.dll

These files were not present in your previous sets of logs.
Be careful of what you are doing on the compromised computer while we are working together or we may never get to the end

Do you know what these files are for?

• C:\ProgramData\23lldnur.pad
• C:\ProgramData\ras_0oed.pad

If not, please delete them.
Let me know if successful or not (or if you knew what they are).

__

Download and install this program: Revo Uninstaller
Open Revo Uninstaller and locate Ad-Aware Antivirus then press the Uninstall button and choose "Moderate".
Let me know how this works out.

__

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:files[/COLOR]
C:\windows\system32\drivers\81979808.sys
C:\Users\Ann\AppData\Roaming\hlapi.dll
C:\Users\Ann\AppData\Roaming\ubdht.dll
C:\ProgramData\1FE7 /d
C:\ProgramData\Lavasoft
C:\Program Files (x86)\TorrentSearch
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000000
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Please do not use MSconfig.

__

http://img205.imageshack.us/img205/1894/otl.gif Scan with OTL by OldTimer.

• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  drives
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

sorry. do not know where those files came from. ad-aware seems to be removed. here are the logs

 

http://img196.imageshack.us/img196/3557/tdsskiller.gif Custom scan using TDSSKiller

• Double-click TDSSKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
• Click Change Parameters.
• Add a checkmark to "Detect TDLFS File System"
• Press OK.
• Press Start Scan.
• If TDSS File System is detected, make TDSSKiller Delete it by clicking the drop down menu and selecting Delete.
• Leave any other detections alone (Skip).
• Click Close when finished.

__

Code:

C:\Users\Ann\[COLOR="Red"]My Documents[/COLOR]\OTL.exe

OTL should be run from the desktop. Not this folder. Please move it to the desktop before proceeding with the below.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=1&sr=0&q={searchTerms}
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=150&systemid=406&sr=0&q={searchTerms}
O3:64bit: - HKLM\..\Toolbar: (no name) - !{47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3277857406-3799238897-181428864-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3277857406-3799238897-181428864-1001\..\Toolbar\WebBrowser: (no name) - {3BBD3C14-4C16-4989-8366-95BC9179779D} - No CLSID value found.
O3 - HKU\S-1-5-21-3277857406-3799238897-181428864-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Reg Error: Key error.)
[2012/09/04 19:10:04 | 000,000,000 | ---- | M] () -- C:\Users\Ann\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[COLOR="DarkRed"]:files[/COLOR]
C:\ProgramData\23lldnur.pad /d
C:\ProgramData\ras_0oed.pad /d
C:\ProgramData\382D0 /d

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

here are the logs

 

You forgot to attach your latest OTL FIX log.

This should be it: C:\_OTL\MovedFiles\09062012_100545.log

Also let me know how things are running.

 

i ran that earlier but forgot to hit fix. I have not done anything with it but run the scans. Adaware seems to be removed and the random ads have seemed to stop also. Here is the otl log

 

Looks good

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

thanks for all your help!!!!

 

I went to uninstall AVG and error stating the windows installer service could not be accessed. How do I fix this?

 

Use this tool instead:

http://img10.imageshack.us/img10/3213/avguninstall.gif Please download and run AVG Remover

 

that worked. Thanks again for your time and help with this.

 

You're welcome