Sponsor for PC Pals Forum

Author Topic: Adware  (Read 2267 times)

Offline Scotty_CFC

  • Regular Member
  • **
  • Posts: 85
Adware
« on: January 21, 2005, 10:03 »
I am really p**sed off!

I got some adware on my PC. It keeps replacing my homepage with "about:blank" showing me a sh1tty search engine with about 3 popups saying "We have detected adware on your pc", no sh1t, they were the b*****ds that put it there. Everytime I browse, i get about 5 popups about loans, porn, adware etc.

Anyway, I have run "AdAware SE" about 3 times and deleted all found objects. Usually this program gets rid of it no probs, but this is proving to be a b*****d. I tried to find it manually so that i could delete it, but could only find the culprit on the "Add/Remove programs" list, (which wont remove it). I have tried searching my C: drive for the thing but it cant find it.

I have tried restoring my PC, but all the previous dates have been removed, and the only date to recover to is the date i received this pain in the arse.

Any suggestions will be appreciated.

HP Pavillion
Win XP
1.8 ghz celeron
512mb ram
64mb 9100 radeon
1mb AOL connection

Offline Scotty_CFC

  • Regular Member
  • **
  • Posts: 85
Re:Adware
« Reply #1 on: January 21, 2005, 10:07 »
Oh and yes, my adware program HAS been updated.

Offline joudi

  • Established Member
  • ****
  • Posts: 1260
Re:Adware
« Reply #2 on: January 21, 2005, 11:15 »
Get at least the "Windows update critic". Maybe all SP1 of windows. And if you have a way to SP2 it includes that too.
object width="450" height="150">

Offline Tony

  • Loyal Member
  • *****
  • Posts: 3367
    • http://www.sugrue.ndo.co.uk
Re:Adware
« Reply #3 on: January 21, 2005, 12:06 »
You need "Hijack This" find it here http://www.merijn.org/downloads.html then copy the log file it produces and paste it here >>>>>>
http://www.merijn.org/downloads.html

Athiesm is a non-prophet organization.

Offline Sandra

  • Ultimate Member
  • *******
  • Posts: 12155
Re:Adware
« Reply #4 on: January 21, 2005, 12:09 »
I have found that sometimes if you search for the name of the search engine in google or other search engines theres often a link for a way to remove it.
Failing that run the latest version of Hijackthis and posty the results for us to check  :)

Offline Scotty_CFC

  • Regular Member
  • **
  • Posts: 85
Re:Adware
« Reply #5 on: January 21, 2005, 14:54 »
Logfile of HijackThis v1.98.2
Scan saved at 14:50:14, on 21/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mfchi32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\system32\ipte32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Scott Rosam\Desktop\HijackThis19802.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9B442A67-4BF8-9AC9-9912-E5D9A99FE86D} - C:\WINDOWS\system32\winqd32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [ipte32.exe] C:\WINDOWS\system32\ipte32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: ChatSpace Full Java Client 2.1.0.95 - http://204.157.0.209:8000/Java/cs4fs095.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://chatway.hostxpro.net:8000/Java/cfs31235.cab
O16 - DPF: Dice Derby by pogo - http://game4.pogo.com/applet-6.1.0.39/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game4.pogo.com/applet-5.9.3.38/superbingo/superbingo-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-5.9.1.28/flinger/flinger-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game4.pogo.com/applet-5.9.1.28/popfu/popfu-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game4.pogo.com/applet-5.9.2.31/squelchies/squelchies-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.37/holdem/holdem-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-6.1.0.39/worldclass/worldclass-ob-assets.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{710CDFD7-2D2F-4966-BAA9-8C6B298D45A4}: NameServer = 195.93.34.134

Offline Tony

  • Loyal Member
  • *****
  • Posts: 3367
    • http://www.sugrue.ndo.co.uk
Re:Adware
« Reply #6 on: January 21, 2005, 16:08 »
Well thats a cracker of a logfile.....did you copy and paste it to that link I gave you ? ....Because if you did you would see it has highlighted 12 "Nasties" and 12 "Possible Nasties"

It also tells you to install XP SP2, and it says you are not running a Anti Virus program.....if that is so you deserve to be taken out and shot  ;D ;)

Look just follow the instructions with the "Hijack This" program and remove those bad entry's.
Athiesm is a non-prophet organization.

Offline TR

  • Forum Fanatic
  • ******
  • Posts: 7149
Re:Adware
« Reply #7 on: January 21, 2005, 16:12 »
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain


Thats one  ;)

Edit: be very careful on what you delete as a wrong tick could disenable your computer  :-[

Offline Tony

  • Loyal Member
  • *****
  • Posts: 3367
    • http://www.sugrue.ndo.co.uk
Re:Adware
« Reply #8 on: January 21, 2005, 17:14 »
Must second TR's caution regards deletions.....The analyis can highlight "Nasties" that are not nasties. For instance I have one highlighted as a "Nasty" when it is in fact my "Trading Platform"

And two "Unknown" enteries that are my "Analytical Software" Both these programs send and receive data to my computer constantly. Hence they were highlighted, which is understandable, as they are sending data.

Rule of thumb, if you know it is a program you installed and know to be clean...leave it.

Any "Nasties" you dont recognise copy and paste into "Google" and see what comes up. If its spyware there will be plenty of searches on it in Google.
Athiesm is a non-prophet organization.

Offline Simon

  • Administrator
  • *****
  • Posts: 77923
  • First to score 7/7 in Quiz of The Week's News 2017
Re:Adware
« Reply #9 on: January 21, 2005, 17:59 »
I would guess that this lot are possibly the main cause of your pop up problems, as they seem to have infested Internet Explorer, so I would remove these:-
Quote
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sbfyk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sbfyk.dll/sp.html#12345


What are all the games at the bottom of ths list?  Are they what you have downloaded yourself?
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline Simon

  • Administrator
  • *****
  • Posts: 77923
  • First to score 7/7 in Quiz of The Week's News 2017
Re:Adware
« Reply #10 on: January 21, 2005, 18:01 »
You need "Hijack This" find it here http://www.merijn.org/downloads.html then copy the log file it produces and paste it here >>>>>>
http://www.merijn.org/downloads.html


Is that second link correct, Tony?  Looks the same as the first one to me.   ;)
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline Scotty_CFC

  • Regular Member
  • **
  • Posts: 85
Re:Adware
« Reply #11 on: January 21, 2005, 19:10 »
I deleted all the known "nasties" and when i went back they reinstalled... agh i gave up. I checked out that mozilla browser, had a lil play with it, and found i liked it better than IE6, plus it has a nifty built in popup blocker :D

As for installing SP2, I've had enough grief from that pile of crap already, so I aint even gonna try  :P

Cheers for the help


Offline Dack

  • Established Member
  • ****
  • Posts: 831
Re:Adware
« Reply #12 on: January 21, 2005, 19:17 »
First thing to do is download the latest version of HJT and scan again - it checks some extra areas.
hey promised the earth! Then delivered mud.
Technically it did meet the spec.

Offline Tony

  • Loyal Member
  • *****
  • Posts: 3367
    • http://www.sugrue.ndo.co.uk
Re:Adware
« Reply #13 on: January 21, 2005, 19:42 »

You need "Hijack This" find it here http://www.merijn.org/downloads.html then copy the log file it produces and paste it here >>>>>>
http://www.merijn.org/downloads.html


Is that second link correct, Tony?  Looks the same as the first one to me.   ;)


 :-[  :yoops: I ment to post this http://www.hijackthis.de/
Athiesm is a non-prophet organization.


Show unread posts since last visit.
Sponsor for PC Pals Forum