Ad aware did not get rid of spyware

[wguido]

I have tried everything, and I can not get the stupid pop ups that were NEVER there before off. I downloaded adaware, did not work, i tried a reg cleaner, windows washer, spybot, everything you can think of. Even restored my computer back 2 months, HELP!!!!!!!!!!

 

[pyritechips]

<img src="http://forums.techguy.org/attachment.php?s=&postid=684669">

Hello!

This sounds like it should be in the security forum, so assuming that it's ok with you, I will request that it be moved.

Wxactly what kind of popups are you getting? Can you give us more information, like: What operating system do you have, what browser?

In the mean time, you can go to the following site and download and run Startuplist 1.51 and post the results here:

http://www.lurkhere.com/~nicefiles/

 

[Davey7549]

Moved to Security PC! By the way I like your Welcome Gif!! Nice Job!

Dave

 

[wguido]

StartupList report, 1/16/2003, 3:50:20 PM
StartupList version: 1.51
Started from : C:\unzipped\startuplist151[1]\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\D-Link AirPlus\WLANMON.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\startuplist151[1]\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
D-Link AirPlus DWL-650+ Utility.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
DadApp = C:\Program Files\DELL\AccessDirect\dadapp.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
Dell|Alert = C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
Sentry = C:\WINDOWS\Sentry.exe
Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

washindex = C:\Program Files\Washer\washidx.exe "Wendie"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
Washer = C:\Program Files\Washer\washer.exe /0

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

washindex = C:\Program Files\Washer\washidx.exe "Wendie"

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\IPINSIGT.DLL - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}
(no name) - C:\WINDOWS\MSView.DLL - {00000580-C637-11D5-831C-00105AD6ACF0}
MediaLoads Enhanced - C:\Program Files\MediaLoads Enhanced\ME1.DLL - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell.com/us/en/systemprofiler/SysPro.CAB

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/161b002aed60a3bd7306/netzip/RdxIE601.cab

[DmiReader Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL
CODEBASE = http://ftp.us.dell.com/fixes/PROFILER.CAB

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: \??\C:\DOCUME~1\Wendie\LOCALS~1\Temp\GLB1A2B.EXE||\??\C:\DOCUME~1\Wendie\LOCALS~1\Temp\GLB1A2B.EXE


--------------------------------------------------
End of report, 6,252 bytes
Report generated in 0.210 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[brendandonhu]

I don't see anything but you can try spybot from http://security.kolla.de

In my tests, it caught more than adaware.
Make sure you update the program before downloading by clicking Online, Check For Updates, Download Updates.

 

[wguido]

I did, nothing

 

[wguido]

the same ads that pop up are ebay, debt consolidation, specific pop, and albion...

 

[bobince]

Crumbs, you've got heaps of problems there. Are you sure you're using Spybot with the latest updates? Because I'm sure it should catch some of these:

Sentry = C:\WINDOWS\Sentry.exe

This is IPInsight/Sentry, see http://www.doxdesk.com/parasite/IPInsight.html

Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer

This is Totem Updater. I've never seen it actually do anything, but it hangs around after uninstalling any of their programs (MP3Dancer in this case) and looks generally suspicious. Delete this startup entry using HijackThis! or regedit (registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Uninstall0001). Reboot and wipe the whole Program Files\Common Files\Totem Shared folder.

(no name) - C:\WINDOWS\IPINSIGT.DLL - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}

This is IPInsight/Ipinsigt, see the above page again.

(no name) - C:\WINDOWS\MSView.DLL - {00000580-C637-11D5-831C-00105AD6ACF0}

This is Transponder/MSView, see http://www.doxdesk.com/parasite/Transponder.html

MediaLoads Enhanced - C:\Program Files\MediaLoads Enhanced\ME1.DLL - {85A702BA-EA8F-4B83- AA07-07A5186ACD7E}

This is DownloadWare, see http://www.doxdesk.com/parasite/DownloadWare.html

[RdxIE Class]

This is RealDownload. I haven't analysed this yet so I don't know if it's harmful, but it certainly doesn't do any good to have it installed. Try to remove it from Downloaded Program Files in the Windows folder.

[ContentAuditX Control]

This is not actually harmful, but it's completely worthless. It's used by contentwatch.com, a site that claims to scan your computer for hidden pornography (!), but in fact just flags any files with words like 'sex' in the title, and then tells you to buy more software. I'd go to Downloaded Program Files and wipe it if I were you.

Hope that helps!

--
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdesk.com/

 

[wguido]

It wont delete Totem. It says it is white protected

 

[bobince]

This probably means the file is in use - that is, Totem is currently running. Open the Task Manager (Ctrl-Alt-Delete), pick the 'Processes' tab, and kill 'upd.exe'. Then you should be able to delete it.

Removing the HKLM...Run registry entry then rebooting is another way to stop the process from running.

--
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdesk.com/

 

[wguido]

there is no upd file

 

[wguido]

ok, i got totem delted, but still popups! is there an easier way to get rid of it?

 

[mViOkPe]

Hey Andrew, nice to see ya. You are quite correct about SSD targeting most of these. BTW I saw that bit of business at AA/LS the other day. Guess they want to alienate everyone in the industry now.

wguido, I would suggest you try SSD again and make sure you have the current version; v1.1r4 then use the internal updater to get the latest sigs. Get it here; http://www.lurkhere.com/~nicefiles/index.html

For a REAL task manager you might try ProcExp; http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

 

[wguido]

I did dl it, updared it, rebooted....STILL HAVE POP UPS! This is driving me crazy! lol I never had them on my homepage or bank page or email page before.

 

[mViOkPe]

Did you get rid of IPInsight? Transponder? DownloadWare? I know for a fact that the SSD scan will pick these up.

Would you post a copy of your SSD results please. Just right click in the results and choose 'copy to clipboard' and then paste here.

EDIT: Also, could you get a copy of HighjackThis and run a scan and post it's results too; http://www.spywareinfo.com/~merijn/files/hijackthis.zip