Avast WEBforum

Other => Viruses and worms => Topic started by: IcyLady on March 21, 2007, 03:04:31 AM

Title: Returning Adware
Post by: IcyLady on March 21, 2007, 03:04:31 AM

Hello everyone,

I am in desperate need of help! Last night, when I turned on my computer, it started acting very strange. Every 10-15 minutes an Avast Warning kept popping up, saying an Adware was detected. I moved each file to the chest, then ran the scan on Avast, Adware, Disc Cleanup, and CCleaner. Also, after browsing this forum, I scanned my computer with Ewido. The thing keeps coming back.. I'm a little lost at what to try next. I'm using WindowsXP and the 4.7 version of Avast.
Here's the log view for the last two days.

3/19/2007 6:42:15 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\WINDOWS\system32\rlxf.dll" file. 
3/19/2007 6:42:32 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\WINDOWS\system32\ActiveToolBand.dll" file. 
3/19/2007 6:43:57 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os15.tmp\DOMPilot.dll" file. 
3/19/2007 6:54:33 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os17.tmp\DOMPilot.dll" file. 
3/19/2007 7:13:52 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os1A.tmp\DOMPilot.dll" file. 
3/19/2007 7:24:48 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os1C.tmp\DOMPilot.dll" file. 
3/19/2007 7:37:45 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os1F.tmp\DOMPilot.dll" file. 
3/19/2007 7:48:26 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os21.tmp\DOMPilot.dll" file. 
3/19/2007 7:49:10 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os21.tmp\DOMPilot.dll" file. 
3/19/2007 7:59:40 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os23.tmp\DOMPilot.dll" file. 
3/19/2007 9:31:15 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os25.tmp\DOMPilot.dll" file. 
3/19/2007 9:42:09 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os27.tmp\DOMPilot.dll" file. 
3/19/2007 9:53:22 PM   Inna   3300   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\WINDOWS\system32\ActiveToolBand.dll" file. 
3/19/2007 9:53:41 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os29.tmp\DOMPilot.dll" file. 
3/19/2007 9:55:47 PM   Inna   3300   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\WINDOWS\system32\silc_dll.dll" file. 
3/19/2007 9:56:00 PM   Inna   3300   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\WINDOWS\system32\trz2A.tmp" file. 
3/19/2007 10:05:58 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os34.tmp\DOMPilot.dll" file. 
3/19/2007 10:06:32 PM   Inna   3300   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\Documents and Settings\Inna\Local Settings\Temp\~os34.tmp\DOMPilot.dll" file. 
3/19/2007 10:26:39 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os37.tmp\DOMPilot.dll" file. 
3/19/2007 10:37:22 PM   SYSTEM   1344   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os46.tmp\DOMPilot.dll" file. 
3/19/2007 10:40:20 PM   Inna   3300   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP166\A0069620.exe" file. 
3/19/2007 10:40:30 PM   Inna   3300   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP167\A0069667.dll" file. 
3/19/2007 10:40:34 PM   Inna   3300   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP167\A0069736.dll" file. 
3/19/2007 10:40:37 PM   Inna   3300   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP167\A0069737.dll" file. 
3/20/2007 7:35:26 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os7.tmp\DOMPilot.dll" file. 
3/20/2007 7:46:29 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~osA.tmp\DOMPilot.dll" file. 
3/20/2007 7:56:56 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~osC.tmp\DOMPilot.dll" file. 
3/20/2007 8:07:21 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~osE.tmp\DOMPilot.dll" file. 
3/20/2007 8:17:46 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os10.tmp\DOMPilot.dll" file. 
3/20/2007 8:28:14 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os13.tmp\DOMPilot.dll" file. 
3/20/2007 8:29:57 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\Recycled\Dc1.dll" file. 
3/20/2007 8:40:18 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os15.tmp\DOMPilot.dll" file. 
3/20/2007 8:50:55 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os17.tmp\DOMPilot.dll" file. 
3/20/2007 9:12:53 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os2E.tmp\DOMPilot.dll" file. 
3/20/2007 9:23:30 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os30.tmp\DOMPilot.dll" file. 
3/20/2007 9:34:11 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os32.tmp\DOMPilot.dll" file. 
3/20/2007 9:44:41 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os36.tmp\DOMPilot.dll" file. 
3/20/2007 9:55:06 PM   SYSTEM   1364   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\Inna\LOCALS~1\Temp\~os38.tmp\DOMPilot.dll" file.

Looks really scary. :)
Any help would be appreciated. Thank you.

Title: Re: Returning Adware
Post by: Lisandro on March 21, 2007, 03:09:14 AM

If a virus is replicant (coming and coming again), you should:

1) Enable/Disable System restore on Windows ME (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887) or Windows XP (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405). System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k.

2) Clean your temporary files. You can use the  Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features for that.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (http://support.microsoft.com/default.aspx?scid=kb;en-us;315222) (repeatedly press F8 while booting).

4) It will be good if you download, install, update and run other trojan remover tools: a-squared (http://www.emsisoft.com/en/software/free/) and/or Free AVG Antispyware (http://www.ewido.net/en/) (trojan removers). Some users recommend SUPERantispyware (http://www.superantispyware.com) or Spyware Terminator (http://www.spywareterminator.com/).

5) Use the immunization of  Windows Advanced Care (http://SpywareBlaster or, which is better, the [url=http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features of spyware/adware cleaning and removal.

Title: Re: Returning Adware
Post by: FreewheelinFrank on March 21, 2007, 10:17:05 AM

Hi IcyLady,

Follow the instructions here for the removal of MarketScore:

Quote

Uninstall the spyware
You should try this method first. It uses the hidden uninstall feature of the spyware.

Follow the instructions for your operating system.

    * Windows 95/98/Me
         1. Click Start > Run.
         2. Type the following and press the Enter key after typing each one:

            command
            "%WinDir%\SYSTEM\NSCheck.exe" /uninstall

    * Windows NT/2000/XP
         1. Click Start > Run.
         2. Type the following and press the Enter key after typing each one:

            cmd
            NSCheck /uninstall

http://www.symantec.com/security_response/writeup.jsp?docid=2004-042117-5317-99&tabid=3 (http://www.symantec.com/security_response/writeup.jsp?docid=2004-042117-5317-99&tabid=3)

Go to Start>Control Panel>Add/Remove Programs and uninstall any entries for the following:

HiTrust
ActiveToolBand

In addition, check ever entry in Add/Remove carefully: if it's not something you recognise, Google the name: if you see a report that it is adware or spyware, read about the risks and consider removing it.

Also run scans with the following:

a-Squared Free:

http://www.emsisoft.com/en/software/free/ (http://www.emsisoft.com/en/software/free/)

Spybot Search & Destroy:

http://www.safer-networking.org/en/download/index.html (http://www.safer-networking.org/en/download/index.html)

Come back and tell us if the situation improves!

Title: Re: Returning Adware
Post by: IcyLady on March 22, 2007, 03:06:55 AM

Wow, it worked! :D

Thank you very much for your help, guys. I've tried everything of the above, but I think only Spybot was able to fix the problem. After I ran a Spybot boot scan, my computer has been running soooo fast. The warning hasn't popped up in about an hour and a half. I know it's not long, but considering it used to pop up every 15 minutes, it's much better now. I think it's all fixed now. Or at least I hope it is.
Thank you again,

~IcyLady.

Title: Re: Returning Adware
Post by: Lisandro on March 22, 2007, 03:16:46 AM

Glad you've solved, IcyLady.
Welcome to avast forums and feel free to come back any time you need help.
Keep protected, keep safe 8)

Title: Re: Returning Adware
Post by: cmcsandy on April 03, 2007, 05:09:41 PM

I am having the same problems.  Did you pay for Spybot?  I thought it was free and then they were trying to sell PC Doctor or something.  Are there any free ones? ::)

Title: Re: Returning Adware
Post by: FreewheelinFrank on April 03, 2007, 07:04:36 PM

Spybot Search and Destroy is free for home use, as are all the programs mentioned in this thread: Ad-Aware, AVG Anti-Spyware, a-Squared, SpywareTerminator and SuperAntiSpyware.

SpywareDoctor from PC Tools is not free. It has a free trial but won't remove malware found.

http://www.pctools.com/ (http://www.pctools.com/)

Make sure you are not looking at a scam page trying to sell knock-off programs with similar names that won't work or may even charge money for doing nothing.

The links in this thread are good: be careful when Googling because the scams can come up. Searching for 'Spybot' especially produces lots of scam links.

Here'e the link for Ad-Aware:

http://www.download.com/3000-2144-10045910.html (http://www.download.com/3000-2144-10045910.html)

Title: Re: Returning Adware
Post by: Lisandro on April 03, 2007, 07:24:35 PM

Besides Spybot and Ad-aware, I suggest that you download, install, update and run other trojan remover tools: a-squared (http://www.emsisoft.com/en/software/free/) and/or Free AVG Antispyware (http://www.ewido.net/en/) (trojan removers). Some users recommend SUPERantispyware (http://www.superantispyware.com) or Spyware Terminator (http://www.spywareterminator.com/).

You can use the immunization of  Windows Advanced Care (http://SpywareBlaster or, which is better, the [url=http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features of spyware/adware cleaning and removal.

All these programs have free versions.