MSAntiSpyware not being able to remove Pop-ups

G

Guest

Hello everybody,
This is Vishal Bhatt from India,
Happy New Year to all of you...

Here's the Problem Statement:

Running MSSRT (Microsoft Suspected Spyware Reporting Tool) gave report
regarding improper proxy settings and didn't send the data to microsft.

Websites like this one popup whenever I get onilne on my broadband or
whenever I get online on my yahoo Messenger.

http://www.health-yshopping.com/normal/yyy102.html
http://www.hug-ediscounts.com/normal/yyy102.html
http://www.hug-ediscounts.com/normal/yyy65.html
http://www.dealiotoday.com/normal/yyy102.html
http://www.ecommerc-e.com/normal/yyy102.html
http://www.searc-h.com/error_docs/forbidden.html
http://www.bigdiscountbuy.com/normal/yyy102.html
http://www.mediapurchases.com/normal/yyy102.html
http://getvisitors.net/

and IP Address which redirects me to all above thos adviertising pop-up
sites is
64.192.130.141

One Clue, I don't know will that help you out, but let me tell you,
all these things started from www.crackz.ws or http://(somecracksite).ws
after trying to run a keygen or searial no generated prog, I think I cought
this.

I suspect that some DLLs from Windows\System32 folder in my computer
are installing themselves to Memory as soon as computer starts, even in safe
mode,
'cos when I try to remove them, delete them, it doesn't allow. Also they've
made
their entry into the system registry in the CLSID section. I tried to
delete that entry
and delete those DLL files but everytime I restart computer, I found that
that file
has changed its name and also made their changed name entry in the system
registry CLSID section, also installed in the memory, so that DLL file can't
be deleted.

I deep scanned whole computer, all the harddrives, it removed some of them,
but I think its not totally removed. Some traces which are QUITE deep and
HIGHLY intellectual or Complex adware program should be there which I can't
find
by running fully updated MS AntiSpyware!!!

after that I ran http://safety.live.com which removed 3 virus
also going for ewido online scan now, which shows spyware.look2me

I tried free versions downloaded of SPYBOT, ADWARE from www.pcsafe.com
spyware doctor from pctools.com AdAware from Lavasoft.com etc.
I M not sure wheather I should trust other sites like
www.f-secure.com/blacklight
www.ewido.com/
www.rootrevit.com/

PLS help me out.

VISHAL V. BHATT
(e-mail address removed)
 
P

plun

G

Guest

Hello Vishal:
I have a remarkably similar problem to the one you describe. Furthermore, i
have had this infection before and I ended up reloading my system from
scratch--a cold start.

I am sorry I cannot help you out, but I share your frustration. I am not
sure why we cannot troubleshoot this issue and find a definitive reference to
a solution on the net. Plun's suggestion is interesting, but does not
address the root cause. I have use MSAS as well as SpyBot Search&Destroy.
SpyBot S&D finds adware, claims to remove them, but the just reappear on next
load. I can use MSAS to reset the Browser options. But on second use of the
browser, they get reset to the adware sites--suggestiing some form of BHO
code is executing. I remove the BHO's, but they come back. I see a class
BHO in the MSAS System Explorer BHO list at "c:\windows\system32\javacn.dll".
I get rid of this, but it returns. My home page gets redirected to
"about:blank" with an official-looking page featuring the IE logo and a
search field filled in with "viagra", "online gambling", "party poker" or
similar annoying search words.

I have tried the startup in safe mode as well. But I cannot remove the
offending software...it just comes back. In my windows directory i see a
whole bunch of 12k files: addeb32, addfg32, addcg32, addfl, etc, etc. These
files are applications. If i remove them, they come back with different
names on next restart of system or next reuse of IE.

Anyone with knowledge that might help me out or the community would be
appreciated.

Cheers.
 
G

Guest

If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recºgnize.

You can also use the System Explorers in Microsoft Antispyware to look at
BHO's and block them--it also shows known and unknown fºr BHO's..
http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx .

I also suggest downloading, installing and updating BHODemon for any Browser
Helper Objects that may be on the PC.
* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

Also get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
http://computercops.biz/HijackThis.html

Save it to C:\hjt (new folder) then Open it and select Scan and Save Log.
Note where you saved the log then send it to him as an attachment. Put
Hijack in the subject so he'll know it's not spªm.

Alternatively you can post it on the Dell Forum ªt:

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

(if it wraps you can go tº:

http://tinyurl.com/ckuzq instead.)

Put Ron in the subject so he will see it. You do not need to have a Dell to
post but you will need to register.

Ron Kinner
Microsoft MVP 2004 & 2005
(e-mail address removed)

Engel
 
G

Guest

thanks for your advice. I will use it for future issues. btw, I was using
XP sp2.
In the interim, I used HiJackThis to identify any unusual startup and hbo's
and removed them in Safe mode.

Then, I went into the c:\Windows and c:\windows\system32 directory in safe
mode and looked for any "application" (exe's) or "application extension"
(dll's) files that had no "Description" or "Company" attributes that were not
from "Microsoft Corporation" or other reputable vendor and removed them.
There were approximately 250 applications with names of the form xxxx32.exe,
xxxx32.dll, xxxx.exe and xxxx.dll (x=alpha char) that, when the cursor
hovered over the name of the file, did not show a good Description or Company
attribute. These attributes were null. I removed all of these.

Some had names of the form expand.exe or append.exe, which are legitimate
components of the Windows OS, but were not in the correct directory and did
not have the Description and Company attributes. I removed these too.

I understand this approach is somewhat unreliable (manual) as one can miss a
file very easily. Should I get another infection of this virus, I may write
a program to discover the files and rid my system of them in a more reliable
fashion. At the present time, I seem to be rid of the virus!! Yes!

Cheers.
 
Top