First of all please dont laugh at me if this seems silly and straight forward, but i'm worried i have a virus or something on my computer.
I have got Ad-aware on my computer and Zone Alarm Pro. I noticed that my laptop was running slower than normal and did ctl, alt, del and my CPU was going nuts at between 15% and 100%. I then did a scan using Ad-Aware and it found a critical object with the following info;
Name: Advert Bar
Type: Reg Key
Category: Data Miner
I quarantined it then deleted it and thought that would be the end but it keeps comming back everytime i turn the computer on!!
Is this a very bad thing that i seem to have or is it not too bad??
Can anyone please help me to get rid of it??
Thank you
Suzanna
p.s I hope what i have put makes sense i'm not mad really!!
Answers:
Try then remove the offending item.
Don't worry it's not that bad and I don't think your mad!
Answers:
Download HijackThis.zip from and extract the contents of the zip file to a suitable directory on your hard drive. Run HijackThis and click 'Do a system scan and save a logfile' and post the results here.
Knowledgeable folks will then be able to tell you how to remove that advert bar and if you have any other malware on your machine.
Answers:
Download HijackThis.zip from and extract the contents of the zip file to a suitable directory on your hard drive. Run HijackThis and click 'Do a system scan and save a logfile' and post the results here.
Knowledgeable folks will then be able to tell you how to remove that advert bar and if you have any other malware on your machine. I will download this and post the results
Thank you
Suzanna
Answers:
I have just read the above link. Could i ask how do i know how far back to restore my system(does it give me options? i'm not sue when i got this bug) and then how do i look for a file named advert bar and remove it??
Is there any reason it keeps coming back ?
Sorry i'm really not up on all this technical stuff.
thanks
Suzanna
Answers:
I really hope this makes sense to you and i have posted the right thing so here goes;
Logfile of HijackThis v1.99.1
Scan saved at 00:27:43, on 02/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\suzanne woodford\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\APPS\IE\offline\uk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: Yahoo! Companion BHO - !!02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - !!53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Web assistant - !!0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - !!42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Felix II] C:\Program Files\ScreenMates\Felix II\Felix2.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\!!85D5BBF8-3A3C-4C2E-BCA1-6EB61C3E51D5}: NameServer = 212.159.13.49,212.159.13.50
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I am going to restart my computer and see if its still there and if it is i will do this scan again and post it just incase it dosnt show as i quarantined it earlier.
Thank you
Suzanna
Answers:
Here is the new scan
Logfile of HijackThis v1.99.1
Scan saved at 00:37:20, on 02/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\suzanne woodford\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\APPS\IE\offline\uk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: Yahoo! Companion BHO - !!02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - !!53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Web assistant - !!0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - !!42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Felix II] C:\Program Files\ScreenMates\Felix II\Felix2.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\!!85D5BBF8-3A3C-4C2E-BCA1-6EB61C3E51D5}: NameServer = 212.159.13.49,212.159.13.50
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Thanks
Suzanna
Answers:
I Have just done the Ad-Aware scan and the bloody thing is back again (just incase you needed to know that?) Should i quarantine it again??
Answers:
I have just read the above link. Could i ask how do i know how far back to restore my system(does it give me options? i'm not sue when i got this bug) and then how do i look for a file named advert bar and remove it??
Is there any reason it keeps coming back ? I Have just done the Ad-Aware scan and the bloody thing is back again (just incase you needed to know that?) Should i quarantine it again?? Did you disable system restore before you ran the scan again? You don't need to take the PC back to a time before you picked up the problem, this is to stop it from hiding in your system files.
Answers:
not that im a pc expert but browsing through you log i see you have some details regarding norton , if someone coulf confirm, dont these seem to conflict if you have 2 antivirus detectors on a pc?
Answers:
not that im a pc expert but browsing through you log i see you have some details regarding norton , if someone coulf confirm, dont these seem to conflict if you have 2 antivirus detectors on a pc? Ere I missed that, or cant find it.. where are you on about.
Answers:
O3 - Toolbar: Norton AntiVirus - !!42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
Answers:
I'm not familiar with this particular "advert bar/data miner", but these tend to be BHO's (browser helper objects), Personally, I use autoruns from sysinternals.com to identify (and disable) BHO's.
From the hijack this log, you seem to have 3 BHO's, and 3 Toolbar companions. Does ad-aware give any indication as to which one is causing the problem? Do you have any adverts at the top of your browser, or any other program?
Do you have an exe called advertbar.exe anywhere on your PC, if so, try to delete it, if it won't delete, kill it in task manager first.
Failing that, this one ( ycomp5_5_7_0.d ll ) has a space in the name, so looks a bit iffy to me, you could use autoruns or Hijack This to disable it (I would try and do this and any scan in safe mode, in case there is an exe running at startup which continually reloads it).
If you do a search on google for this (or any other filename), you will get 1000's of lists of other peoples hijack this logs, which is one annoying aspect of hijack this, you can never find anything about a filename now, when doing google searches.., just hijack this logs.
Answers:
before we start playing with your log file do this (which should sort it out):-
Download the trial version of Ewido Security Suite .
- Install ewido.
- During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- Launch ewido
- It will prompt you to update click the OK button and it will go to the main screen
- On the left side of the main screen click update
- Click on Start and let it update.
- DO NOT run a scan yet. You will do that later in safe mode
Run Ewido:
- Click on scanner
- Click Complete System Scan and the scan will begin.
- During the scan it will prompt you to clean files, click OK
- When the scan is finished, look at the bottom of the screen and click the Save report button.
- Save the report to your desktop
Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK
I see you have nortons installed , is it up to date ?? , do you still use it ??
Answers:
May I suggest that If using summet like AdAware run with system restore off
then run a scan then turn restore back on, also Microsoft Anti Spyware may do a better job it did with me lastnight removing chtml Adware.
Ok ok lesson learnt bloomin freeserials.com
And run (if you have it) AVG in safe mode.
Answers:
even the best get caught out then Intel ...lol
I almost got "Lop" the other week after my daughter had been on here, it attempted to install and change my homepage, Microsoft spyware saved me as it warned me, even so it rebooted the PC after I blocked it....
was clean on several scans afterwards
Answers:
even the best get caught out then Intel ...lol
I almost got "Lop" the other week after my daughter had been on here, it attempted to install and change my homepage, Microsoft spyware saved me as it warned me, even so it rebooted the PC after I blocked it....
was clean on several scans afterwards Oh well suppose I will have to buy software now then
Answers:
or trial it on an old PC like i do....
Answers:
or trial it on an old PC like i do....
On 16mb of RAM I think not........ see you on the Antiques Roadshow... lol
Answers:
Same thing... just a different bit of the program being referenced.
Anyone else, I pretty sure thats right.