Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

IAmSad

2064 Views 17 Replies 7 Participants Last post by  IMM
M
Hi,

My Zone Alarm first inform me that the above program is trying to connect to internet. I refused the connection.

Since Then, my ad-watch program is telling me about a registry modification every 30 seconds.

What can I do?

thank you for your help.

Luc
Montréal, canada
Save
Like
Status
Not open for further replies.
1 - 18 of 18 Posts
Lance1
Remove it from the ZA program list and see what happens.
Save
Like
M
I remove it. The ZA ask me again if i want the program to connect to internet. I stil deny this access.

Ad-watch still continue to advise me of a registry modification detected every 30 seconds.
Save
Like
NiteHawk
Go to http://tomcoyote.org/hjt/ and download HiJackThis. Use Winzip to unzip it, then install and run it. To run, click the “Scan” button. When it's done the "Scan" button changes to "Save Log". Save the log file it creates (it should open in Notepad at that point). Copy and paste the results in your next post. IF you happen to be using a proxy server, please mention it in your post. Most of what it finds is harmless, so do not do anything yet. Someone will be glad to help you sort out any of the baddies that may be in there.
Save
Like
prospect
What exacatly does Hi Jack this do?
Save
Like
NiteHawk
HiJack This shows browser home and search page hijacks, hence it's name. But it goes on to show BHO's toolbars that have spyware or adware attached to them.

It also lists all the programs that run at start up. Since much bloteware and spyware, virus, trojans and so on all want to be running when you first start your PC, it becomes a powerful tool in helping us spot anything in the way of spyware, virii and so on, on your computer.
Save
Like
prospect
I'm gonna have to go get it and play with it. Thanks!
Save
Like
NiteHawk
Look over in the security forum and you will see a lot of HJT logs posted.

BTW, what part of Chicago?
Save
Like
M
Logfile of HijackThis v1.97.2
Scan saved at 07:47:11, on 2003-09-14
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\IAMSAD.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Internet Call Manager\Icm.exe
C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Stealther\stealth27.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\cracks3\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:14000
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\Avg6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NAV Auto Update] IAMSAD.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - Startup: zonealarm pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
O4 - Startup: Internet Call Manager.LNK = C:\Program Files\Internet Call Manager\ICM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: McAfee.com SpamKiller.lnk = C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
O4 - Startup: AVG Control Center.lnk = C:\Program Files\Grisoft\AVG7\avgcc.exe
O4 - Startup: Stealther.lnk = C:\Program Files\Stealther\stealth27.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{90329B32-1797-4851-8206-2D94C4F36EC9}: NameServer = 142.169.1.16 199.84.242.22
See less See more
Save
Like
N
hi Luc
Nice to see a fellow Canadian in the forum

Please do a scan using your AA6 Plus or Professional version as per these instructions:
http://forums.techguy.org/t164245/s0a063c8e42e774d467619d00dcbcffd8.html

You can post a AA6 log file for review.
Save
Like
M
Hi normmork,

This is the scan you ask. I simply put one file under my ignore list in aa6 because if i removed it, my Kazaa doesn't work. Thank you for your help (that's include NiteHawk) because this problem is getting on my nerve and I hope than i will get out of this with less arm than Beamer_nm.

Lavasoft Ad-aware Professional Build 6.181
Logfile created on :14 septembre, 2003 17:12:15
Using reference-file :01R218 13.09.2003
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R218 13.09.2003
Internal build : 108
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 580291 Bytes
Signature data size : 569084 Bytes
Reference data size : 11143 Bytes
Signatures total : 13086
Target categories : 10
Target families : 271

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:54 %
Total physical memory:523808 kb
Available physical memory:279620 kb
Total page file size:1278340 kb
Available on page file:620120 kb
Total virtual memory:2097024 kb
Available virtual memory:2047712 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Move deleted files to recycle bin
Set : Safe mode (always request confirmation)
Set : Skip non executable files
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include info about ignored objects in logfile, if detected in scan
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Include used command line parameters in logfile
Set : Automatically mark all objects in result list
Set : Automatically try to unregister objects prior to deletion
Set : XP/2000: Allow unloading explorer to unload shell extensions prior deletion)
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block Popups and banned sites
Set : Automatically save event log on close
Set : Log Ad-aware events
Set : Show splash screen
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result

2003-09-14 17:12:15 - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 2003-09-14 21:02:42
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 2003-09-14 21:02:47
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 2003-09-14 21:02:49
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Applications Services et Contr
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Syst
Created on : 2001-08-28 16:00:00
Last accessed : 2003-09-14 04:00:00
Last modified : 2001-08-28 16:00:00

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 2003-09-14 21:02:49
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 2001-08-28 16:00:00
Last accessed : 2003-09-14 04:00:00
Last modified : 2002-08-29 18:45:10

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 2003-09-14 21:02:51
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 2001-08-28 16:00:00
Last accessed : 2003-09-14 04:00:00
Last modified : 2001-08-28 16:00:00

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 2003-09-14 21:02:51
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 2001-08-28 16:00:00
Last accessed : 2003-09-14 04:00:00
Last modified : 2001-08-28 16:00:00

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 2003-09-14 21:02:55
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 2001-08-28 16:00:00
Last accessed : 2003-09-14 04:00:00
Last modified : 2001-08-28 16:00:00

#:8 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ThreadCreationTime : 2003-09-14 21:02:55
BasePriority : Normal
FileSize : 187 KB
FileVersion : 7,0,0,175
ProductVersion : 7.0.0.175
Copyright : Copyright
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
OriginalFilename : avgamsvr.EXE
ProductName : AVG Anti-Virus System
Created on : 2003-09-11 23:20:14
Last accessed : 2003-09-14 04:00:00
Last modified : 2003-09-11 23:20:16

#:9 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ThreadCreationTime : 2003-09-14 21:02:55
BasePriority : Normal
FileSize : 22 KB
FileVersion : 7,0,0,132
ProductVersion : 7.0.0.132
Copyright : Copyright
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
OriginalFilename : avgupdsvc.EXE
ProductName : AVG 7.0 Anti-Virus System
Created on : 2003-09-09 01:59:12
Last accessed : 2003-09-14 04:00:00
Last modified : 2003-09-09 01:59:14

#:10 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 2003-09-14 21:02:55
BasePriority : Normal
FileSize : 43 KB
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
Copyright : Copyright (c) Creative Technology Ltd., 1999. All rights reserved.
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
OriginalFilename : CTsvcCDA.EXE
ProductName : Creative Service for CDROM Access
Created on : 2002-09-27 10:56:12
Last accessed : 2003-09-14 04:00:00
Last modified : 1999-12-13 05:01:00

#:11 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 2003-09-14 21:02:55
BasePriority : Normal
FileSize : 60 KB
FileVersion : 6.13.10.3082
ProductVersion : 6.13.10.3082
Copyright : (c) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 30.82
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 30.82
Created on : 2002-11-13 22:40:43
Last accessed : 2003-09-14 04:00:00
Last modified : 2002-07-16 16:16:00

#:12 [tcpsvcs.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 2003-09-14 21:02:56
BasePriority : Normal
FileSize : 19 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : TCP/IP Services Application
InternalName : TCPSVCS.EXE
OriginalFilename : TCPSVCS.EXE
ProductName : Microsoft
Created on : 2001-08-28 16:00:00
Last accessed : 2003-09-14 04:00:00
Last modified : 2001-08-28 16:00:00

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 2003-09-14 21:02:56
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 2001-08-28 16:00:00
Last accessed : 2003-09-14 04:00:00
Last modified : 2001-08-28 16:00:00

#:14 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 2003-09-14 21:02:56
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
OriginalFilename : MSPMSPSV.EXE
ProductName : Microsoft (R) DRM
Created on : 2000-06-26 11:44:20
Last accessed : 2003-09-14 04:00:00
Last modified : 2000-06-26 11:44:20

#:15 [devldr32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 2003-09-14 21:03:09
BasePriority : Normal
FileSize : 25 KB
FileVersion : 1, 0, 0, 22
ProductVersion : 1, 0, 0, 22
Copyright : Copyright
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
OriginalFilename : DevLdr32.exe
ProductName : Creative Ring3 NT Inteface
Created on : 2002-09-24 04:12:51
Last accessed : 2003-09-14 04:00:00
Last modified : 2001-08-31 05:44:30

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 2003-09-14 21:03:13
BasePriority : Normal
FileSize : 977 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Explorateur Windows
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Syst
Created on : 2003-05-29 15:49:48
Last accessed : 2003-09-14 04:00:00
Last modified : 2003-05-29 15:49:48

#:17 [dap.exe]
FilePath : C:\PROGRA~1\DAP\
ThreadCreationTime : 2003-09-14 21:03:20
BasePriority : Normal
FileSize : 1412 KB
FileVersion : 5, 3, 9, 6
ProductVersion : 5, 3, 9, 6
Copyright : Copyright (C) 1999 - 2003 SpeedBit Ltd
CompanyName : SpeedBit Ltd.
FileDescription : Download Accelerator Plus
InternalName : DAP
OriginalFilename : DAP.EXE
ProductName : Download Accelerator Plus
Created on : 2002-12-29 12:15:09
Last accessed : 2003-09-14 04:00:00
Last modified : 2003-08-25 00:52:44

#:18 [ad-watch.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 2003-09-14 21:03:21
BasePriority : Normal
FileSize : 383 KB
FileVersion : 3.1.2.17
ProductVersion : 3.0
Copyright : 2001-2003 Team Lavasoft
CompanyName : Lavasoft Sweden
FileDescription : Ad-watch Monitor
InternalName : Ad-watch.exe
OriginalFilename : Ad-watch.exe
ProductName : Ad-aware 6
Created on : 2003-09-12 02:07:27
Last accessed : 2003-09-14 04:00:00
Last modified : 2003-02-13 02:04:42

#:19 [iamsad.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 2003-09-14 21:03:21
BasePriority : Normal
FileSize : 52 KB
Created on : 2003-09-12 22:23:48
Last accessed : 2003-09-14 04:00:00
Last modified : 2003-09-12 22:07:18

#:20 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 2003-09-14 21:03:21
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 2002-09-24 01:11:55
Last accessed : 2003-09-14 04:00:00
Last modified : 2002-08-29 18:45:10

#:21 [popfilter.exe]
FilePath : C:\Program Files\Meaya\Popup Ad Filter\
ThreadCreationTime : 2003-09-14 21:03:21
BasePriority : Normal
FileSize : 262 KB
Created on : 2001-05-21 06:32:05
Last accessed : 2003-09-14 04:00:00
Last modified : 2001-05-21 06:32:06

#:22 [cursorxp.exe]
FilePath : C:\Program Files\CursorXP\
ThreadCreationTime : 2003-09-14 21:03:21
BasePriority : High
FileSize : 77 KB
FileVersion : 1, 2, 0, 0
ProductVersion : 1, 2, 0, 0
Copyright : Copyright
FileDescription : CursorXP
InternalName : CursorXP
OriginalFilename : CursorEx.exe
ProductName : Stardock CursorXP
Created on : 2003-03-23 16:31:19
Last accessed : 2003-09-14 04:00:00
Last modified : 2002-06-19 02:52:00

#:23 [zapro.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ThreadCreationTime : 2003-09-14 21:03:23
BasePriority : Normal
FileSize : 413 KB
FileVersion : 4.0.123.012
ProductVersion : 4.0.123.012
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : ZoneAlarm Pro
InternalName : zapro
OriginalFilename : zapro.exe
ProductName : ZoneAlarm Pro
Created on : 2003-04-06 16:38:53
Last accessed : 2003-09-14 04:00:00
Last modified : 2003-06-10 04:02:44

#:24 [icm.exe]
FilePath : C:\Program Files\Internet Call Manager\
ThreadCreationTime : 2003-09-14 21:03:24
BasePriority : Normal
FileSize : 1600 KB
FileVersion : 8, 1, 0, 21
ProductVersion : 8, 1, 0, 21
Copyright : Copyright (C) 1996-2002
CompanyName : InfoInterActive Corp.
FileDescription : ICM Client Application
InternalName : ICM Client
OriginalFilename : ICM.EXE
ProductName : Internet Call Manager
Created on : 2002-09-16 23:35:30
Last accessed : 2003-09-14 04:00:00
Last modified : 2002-09-23 17:10:38

#:25 [spamkiller.exe]
FilePath : C:\Program Files\McAfee.com\SpamKiller\
ThreadCreationTime : 2003-09-14 21:03:25
BasePriority : Normal
FileSize : 2353 KB
FileVersion : 4.0.40.0
ProductVersion : 4.0
Copyright : Copyright
CompanyName : McAfee.com
FileDescription : SpamKiller
InternalName : SpamKiller
OriginalFilename : SPAMKILLER.EXE
ProductName : SpamKiller
Created on : 2003-06-18 00:03:14
Last accessed : 2003-09-14 04:00:00
Last modified : 2002-08-31 01:48:56

#:26 [avgcc.exe]
FilePath : C:\Program Files\Grisoft\AVG7\
ThreadCreationTime : 2003-09-14 21:03:26
BasePriority : Normal
FileSize : 277 KB
FileVersion : 7,0,0,174
ProductVersion : 7.0.0.174
Copyright : Copyright
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
OriginalFilename : AvgCC.EXE
ProductName : AVG Anti-Virus System
Created on : 2003-09-11 23:20:14
Last accessed : 2003-09-14 04:00:00
Last modified : 2003-09-11 23:20:16

#:27 [stealth27.exe]
FilePath : C:\Program Files\Stealther\
ThreadCreationTime : 2003-09-14 21:03:27
BasePriority : Normal
FileSize : 1145 KB
FileVersion : 2.7.0.0
ProductVersion : 2.6
Copyright : 2000 Thorsten Schmidt
CompanyName : Photono Software
FileDescription : Saves your privacy by using the Super Stealth Technology
InternalName : sa
ProductName : Stealther
Created on : 2003-09-13 19:03:52
Last accessed : 2003-09-14 04:00:00
Last modified : 2001-10-27 04:04:20

#:28 [vsmon.exe]
FilePath : C:\WINDOWS\SYSTEM32\ZONELABS\
ThreadCreationTime : 2003-09-14 21:03:30
BasePriority : Normal
FileSize : 873 KB
FileVersion : 4.0.123.012
ProductVersion : 4.0.123.012
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 2003-01-18 18:24:45
Last accessed : 2003-09-14 04:00:00
Last modified : 2003-06-10 04:02:12

#:29 [avgemc.exe]
FilePath : C:\Program Files\Grisoft\AVG7\
ThreadCreationTime : 2003-09-14 21:03:40
BasePriority : Normal
FileSize : 170 KB
FileVersion : 7,0,0,159
ProductVersion : 7.0.0.159
Copyright : Copyright
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
OriginalFilename : avgemc.exe
ProductName : AVG Anti-Virus System
Created on : 2003-09-09 03:29:24
Last accessed : 2003-09-14 04:00:00
Last modified : 2003-09-09 03:29:26

#:30 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 2003-09-14 21:05:28
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Syst
Created on : 2002-09-24 01:23:15
Last accessed : 2003-09-14 04:00:00
Last modified : 2002-08-29 18:45:10

#:31 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 2003-09-14 21:07:49
BasePriority : Normal
FileSize : 724 KB
FileVersion : 6.0.1.183
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 2003-09-12 02:07:28
Last accessed : 2003-09-14 04:00:00
Last modified : 2003-07-13 02:01:58

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

TopSearch Object recognized but ignored
Type : File
Data : topsearch.dll
Category : Data Miner
Comment :
Object : C:\Program Files\KaZaA\topsearch.dll

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Deep scanning and examining files (D:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for D:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 0

17:15:16 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:03:01:63
Objects scanned :89238
Objects identified :0
Objects ignored :1
New objects :0
See less See more
Save
Like
T
Fix with HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [NAV Auto Update] IAMSAD.EXE

Terminate IAMSAD.EXE in Task Manager and delete C:\WINDOWS\System32\IAMSAD.EXE file.
Save
Like
M
Thanks Top Banana.

I just dit that. I scan with Spyboot and there were no problems spotted.
I reboot.

Run Hijackthis Again and IAmSad.exe is still there. This is the last log from HijackThis:

Logfile of HijackThis v1.97.2
Scan saved at 18:40:46, on 2003-09-14
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\IAMSAD.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Internet Call Manager\Icm.exe
C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Stealther\stealth27.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\cracks3\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:14000
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\Avg6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NAV Auto Update] IAMSAD.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - Startup: zonealarm pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
O4 - Startup: Internet Call Manager.LNK = C:\Program Files\Internet Call Manager\ICM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: McAfee.com SpamKiller.lnk = C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
O4 - Startup: AVG Control Center.lnk = C:\Program Files\Grisoft\AVG7\avgcc.exe
O4 - Startup: Stealther.lnk = C:\Program Files\Stealther\stealth27.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.6042592593
See less See more
Save
Like
T
Scan with HijackThis, put a checkmark at and "Fix checked" the following entries.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [NAV Auto Update] IAMSAD.EXE

Terminate IAMSAD.EXE in Task Manager and delete C:\WINDOWS\System32\IAMSAD.EXE file.
Save
Like
M
Sorry Top Banana,

I taugh I did everything the first time but i forgot to delete the system32/IAMSAD.EXE

So, I do it again but this time deleting the IAMSAD.exe file and everything is now ok.

Thanks to you and to all

But, can you tell me how did you select the good line in the hijackthis program?

Were this IAMSAD.exe came from?
Save
Like
T
No idea what IAMSAD.EXE is.
Save
Like
N
If you want to keep on using Kazaa uninstall it and run an AA6 scan and remove all the objects then reinstall Kazaa.

Kazaa places a lot of objects of your PC including P2Pnetworking and Bull dog A/V.

Try a clean alternative Winmx or Shareaza

You will be constantly finding objects on your machine and Ad-watch in use warning or preventing these objects from being installed.

PLase amke sure when run a scan and remove objects follow the instructiond found here http://forums.techguy.org/t164245/s.html
Save
Like
I
From some slim clues - it appears to be a variant of the w32.spybot worm.
Save
Like
1 - 18 of 18 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top