1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Ad aware did not get rid of spyware

Discussion in 'Virus & Other Malware Removal' started by wguido, Jan 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    I have tried everything, and I can not get the stupid pop ups that were NEVER there before off. I downloaded adaware, did not work, i tried a reg cleaner, windows washer, spybot, everything you can think of. Even restored my computer back 2 months, HELP!!!!!!!!!!
     
  2. pyritechips

    pyritechips Gone but Never Forgotten

    Joined:
    Jun 2, 2002
    Messages:
    26,907
    First Name:
    Jim
    <img src="http://forums.techguy.org/attachment.php?s=&postid=684669">

    Hello!

    This sounds like it should be in the security forum, so assuming that it's ok with you, I will request that it be moved.

    Wxactly what kind of popups are you getting? Can you give us more information, like: What operating system do you have, what browser?

    In the mean time, you can go to the following site and download and run Startuplist 1.51 and post the results here:

    http://www.lurkhere.com/~nicefiles/
     

    Attached Files:

  3. Davey7549

    Davey7549

    Joined:
    Feb 28, 2001
    Messages:
    11,584
    Moved to Security PC! By the way I like your Welcome Gif!! Nice Job!

    Dave
     
  4. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    StartupList report, 1/16/2003, 3:50:20 PM
    StartupList version: 1.51
    Started from : C:\unzipped\startuplist151[1]\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Washer\washer.exe
    C:\Program Files\D-Link AirPlus\WLANMON.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\startuplist151[1]\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    D-Link AirPlus DWL-650+ Utility.lnk = ?

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    DadApp = C:\Program Files\DELL\AccessDirect\dadapp.exe
    NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
    NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
    Dell|Alert = C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    Sentry = C:\WINDOWS\Sentry.exe
    Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer
    Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    washindex = C:\Program Files\Washer\washidx.exe "Wendie"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl
    Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
    Washer = C:\Program Files\Washer\washer.exe /0

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    washindex = C:\Program Files\Washer\washidx.exe "Wendie"

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\IPINSIGT.DLL - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}
    (no name) - C:\WINDOWS\MSView.DLL - {00000580-C637-11D5-831C-00105AD6ACF0}
    MediaLoads Enhanced - C:\Program Files\MediaLoads Enhanced\ME1.DLL - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [SysProWmi Class]
    InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
    CODEBASE = http://support.dell.com/us/en/systemprofiler/SysPro.CAB

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.188.7.150/161b002aed60a3bd7306/netzip/RdxIE601.cab

    [DmiReader Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL
    CODEBASE = http://ftp.us.dell.com/fixes/PROFILER.CAB

    [ContentAuditX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: \??\C:\DOCUME~1\Wendie\LOCALS~1\Temp\GLB1A2B.EXE||\??\C:\DOCUME~1\Wendie\LOCALS~1\Temp\GLB1A2B.EXE


    --------------------------------------------------
    End of report, 6,252 bytes
    Report generated in 0.210 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  5. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    I don't see anything but you can try spybot from http://security.kolla.de

    In my tests, it caught more than adaware.
    Make sure you update the program before downloading by clicking Online, Check For Updates, Download Updates.
     
  6. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    I did, nothing
     
  7. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    the same ads that pop up are ebay, debt consolidation, specific pop, and albion...
     
  8. bobince

    bobince

    Joined:
    Jan 16, 2003
    Messages:
    8
    Crumbs, you've got heaps of problems there. Are you sure you're using Spybot with the latest updates? Because I'm sure it should catch some of these:

    Sentry = C:\WINDOWS\Sentry.exe

    This is IPInsight/Sentry, see http://www.doxdesk.com/parasite/IPInsight.html

    Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer

    This is Totem Updater. I've never seen it actually do anything, but it hangs around after uninstalling any of their programs (MP3Dancer in this case) and looks generally suspicious. Delete this startup entry using HijackThis! or regedit (registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Uninstall0001). Reboot and wipe the whole Program Files\Common Files\Totem Shared folder.

    (no name) - C:\WINDOWS\IPINSIGT.DLL - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}

    This is IPInsight/Ipinsigt, see the above page again.

    (no name) - C:\WINDOWS\MSView.DLL - {00000580-C637-11D5-831C-00105AD6ACF0}

    This is Transponder/MSView, see http://www.doxdesk.com/parasite/Transponder.html

    MediaLoads Enhanced - C:\Program Files\MediaLoads Enhanced\ME1.DLL - {85A702BA-EA8F-4B83- AA07-07A5186ACD7E}

    This is DownloadWare, see http://www.doxdesk.com/parasite/DownloadWare.html

    [RdxIE Class]

    This is RealDownload. I haven't analysed this yet so I don't know if it's harmful, but it certainly doesn't do any good to have it installed. Try to remove it from Downloaded Program Files in the Windows folder.

    [ContentAuditX Control]

    This is not actually harmful, but it's completely worthless. It's used by contentwatch.com, a site that claims to scan your computer for hidden pornography (!), but in fact just flags any files with words like 'sex' in the title, and then tells you to buy more software. I'd go to Downloaded Program Files and wipe it if I were you.

    Hope that helps!

    --
    Andrew Clover
    mailto:[email protected]
    http://www.doxdesk.com/
     
  9. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    It wont delete Totem. It says it is white protected
     
  10. bobince

    bobince

    Joined:
    Jan 16, 2003
    Messages:
    8
    This probably means the file is in use - that is, Totem is currently running. Open the Task Manager (Ctrl-Alt-Delete), pick the 'Processes' tab, and kill 'upd.exe'. Then you should be able to delete it.

    Removing the HKLM...Run registry entry then rebooting is another way to stop the process from running.

    --
    Andrew Clover
    mailto:[email protected]
    http://www.doxdesk.com/
     
  11. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    there is no upd file
     
  12. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    ok, i got totem delted, but still popups! :( is there an easier way to get rid of it?
     
  13. mViOkPe

    mViOkPe

    Joined:
    Oct 15, 2002
    Messages:
    101
    Hey Andrew, nice to see ya. You are quite correct about SSD targeting most of these. BTW I saw that bit of business at AA/LS the other day. Guess they want to alienate everyone in the industry now. :)

    wguido, I would suggest you try SSD again and make sure you have the current version; v1.1r4 then use the internal updater to get the latest sigs. Get it here; http://www.lurkhere.com/~nicefiles/index.html

    For a REAL task manager you might try ProcExp; http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
     
  14. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    I did dl it, updared it, rebooted....STILL HAVE POP UPS! This is driving me crazy! lol I never had them on my homepage or bank page or email page before.
     
  15. mViOkPe

    mViOkPe

    Joined:
    Oct 15, 2002
    Messages:
    101
    Did you get rid of IPInsight? Transponder? DownloadWare? I know for a fact that the SSD scan will pick these up.

    Would you post a copy of your SSD results please. Just right click in the results and choose 'copy to clipboard' and then paste here.

    EDIT: Also, could you get a copy of HighjackThis and run a scan and post it's results too; http://www.spywareinfo.com/~merijn/files/hijackthis.zip
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - aware spyware
  1. rjay13
    Replies:
    0
    Views:
    180
  2. dano_61
    Replies:
    14
    Views:
    782
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/113586

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice