Ad aware did not get rid of spyware

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

wguido

Thread Starter
Joined
Jan 16, 2003
Messages
206
I have tried everything, and I can not get the stupid pop ups that were NEVER there before off. I downloaded adaware, did not work, i tried a reg cleaner, windows washer, spybot, everything you can think of. Even restored my computer back 2 months, HELP!!!!!!!!!!
 

pyritechips

Jim
Gone but Never Forgotten
Joined
Jun 2, 2002
Messages
26,907
<img src="http://forums.techguy.org/attachment.php?s=&postid=684669">

Hello!

This sounds like it should be in the security forum, so assuming that it's ok with you, I will request that it be moved.

Wxactly what kind of popups are you getting? Can you give us more information, like: What operating system do you have, what browser?

In the mean time, you can go to the following site and download and run Startuplist 1.51 and post the results here:

http://www.lurkhere.com/~nicefiles/
 

Attachments

wguido

Thread Starter
Joined
Jan 16, 2003
Messages
206
StartupList report, 1/16/2003, 3:50:20 PM
StartupList version: 1.51
Started from : C:\unzipped\startuplist151[1]\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\D-Link AirPlus\WLANMON.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\startuplist151[1]\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
D-Link AirPlus DWL-650+ Utility.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
DadApp = C:\Program Files\DELL\AccessDirect\dadapp.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
Dell|Alert = C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
Sentry = C:\WINDOWS\Sentry.exe
Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

washindex = C:\Program Files\Washer\washidx.exe "Wendie"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
Washer = C:\Program Files\Washer\washer.exe /0

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

washindex = C:\Program Files\Washer\washidx.exe "Wendie"

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\IPINSIGT.DLL - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}
(no name) - C:\WINDOWS\MSView.DLL - {00000580-C637-11D5-831C-00105AD6ACF0}
MediaLoads Enhanced - C:\Program Files\MediaLoads Enhanced\ME1.DLL - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell.com/us/en/systemprofiler/SysPro.CAB

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/161b002aed60a3bd7306/netzip/RdxIE601.cab

[DmiReader Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL
CODEBASE = http://ftp.us.dell.com/fixes/PROFILER.CAB

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: \??\C:\DOCUME~1\Wendie\LOCALS~1\Temp\GLB1A2B.EXE||\??\C:\DOCUME~1\Wendie\LOCALS~1\Temp\GLB1A2B.EXE


--------------------------------------------------
End of report, 6,252 bytes
Report generated in 0.210 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Jul 8, 2002
Messages
14,681
I don't see anything but you can try spybot from http://security.kolla.de

In my tests, it caught more than adaware.
Make sure you update the program before downloading by clicking Online, Check For Updates, Download Updates.
 

wguido

Thread Starter
Joined
Jan 16, 2003
Messages
206
the same ads that pop up are ebay, debt consolidation, specific pop, and albion...
 
Joined
Jan 16, 2003
Messages
8
Crumbs, you've got heaps of problems there. Are you sure you're using Spybot with the latest updates? Because I'm sure it should catch some of these:

Sentry = C:\WINDOWS\Sentry.exe

This is IPInsight/Sentry, see http://www.doxdesk.com/parasite/IPInsight.html

Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer

This is Totem Updater. I've never seen it actually do anything, but it hangs around after uninstalling any of their programs (MP3Dancer in this case) and looks generally suspicious. Delete this startup entry using HijackThis! or regedit (registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Uninstall0001). Reboot and wipe the whole Program Files\Common Files\Totem Shared folder.

(no name) - C:\WINDOWS\IPINSIGT.DLL - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}

This is IPInsight/Ipinsigt, see the above page again.

(no name) - C:\WINDOWS\MSView.DLL - {00000580-C637-11D5-831C-00105AD6ACF0}

This is Transponder/MSView, see http://www.doxdesk.com/parasite/Transponder.html

MediaLoads Enhanced - C:\Program Files\MediaLoads Enhanced\ME1.DLL - {85A702BA-EA8F-4B83- AA07-07A5186ACD7E}

This is DownloadWare, see http://www.doxdesk.com/parasite/DownloadWare.html

[RdxIE Class]

This is RealDownload. I haven't analysed this yet so I don't know if it's harmful, but it certainly doesn't do any good to have it installed. Try to remove it from Downloaded Program Files in the Windows folder.

[ContentAuditX Control]

This is not actually harmful, but it's completely worthless. It's used by contentwatch.com, a site that claims to scan your computer for hidden pornography (!), but in fact just flags any files with words like 'sex' in the title, and then tells you to buy more software. I'd go to Downloaded Program Files and wipe it if I were you.

Hope that helps!

--
Andrew Clover
mailto:[email protected]
http://www.doxdesk.com/
 
Joined
Jan 16, 2003
Messages
8
This probably means the file is in use - that is, Totem is currently running. Open the Task Manager (Ctrl-Alt-Delete), pick the 'Processes' tab, and kill 'upd.exe'. Then you should be able to delete it.

Removing the HKLM...Run registry entry then rebooting is another way to stop the process from running.

--
Andrew Clover
mailto:[email protected]
http://www.doxdesk.com/
 

wguido

Thread Starter
Joined
Jan 16, 2003
Messages
206
ok, i got totem delted, but still popups! :( is there an easier way to get rid of it?
 
Joined
Oct 15, 2002
Messages
101
Hey Andrew, nice to see ya. You are quite correct about SSD targeting most of these. BTW I saw that bit of business at AA/LS the other day. Guess they want to alienate everyone in the industry now. :)

wguido, I would suggest you try SSD again and make sure you have the current version; v1.1r4 then use the internal updater to get the latest sigs. Get it here; http://www.lurkhere.com/~nicefiles/index.html

For a REAL task manager you might try ProcExp; http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
 

wguido

Thread Starter
Joined
Jan 16, 2003
Messages
206
I did dl it, updared it, rebooted....STILL HAVE POP UPS! This is driving me crazy! lol I never had them on my homepage or bank page or email page before.
 
Joined
Oct 15, 2002
Messages
101
Did you get rid of IPInsight? Transponder? DownloadWare? I know for a fact that the SSD scan will pick these up.

Would you post a copy of your SSD results please. Just right click in the results and choose 'copy to clipboard' and then paste here.

EDIT: Also, could you get a copy of HighjackThis and run a scan and post it's results too; http://www.spywareinfo.com/~merijn/files/hijackthis.zip
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top