Still can't get rid of...

[Guest]

More than 30 MS AS scans, some in Safe Mode, numerous
Hijackthis scans/ fix selected, using BHODemon to remove
offending BHO's and using RegEdit to delete known problems
And still.. flashget and funwebproducts adware shows up
on every scan with MS AS, Hijackthis scans show the same
<5 items reappearing.

BHODemon showed a flashget item lurking in GoogleBHO, so
I disabled GoogleBHO, and SpybotBHO for good measure
[alhough Spybot already switched off]; then ran a couple
more MS AS scans.. Still no fix!

I am assured that these 'adware' items are actually dead
and doing no harm to my system.

What I can't understand is:
Why do they keep coming back?
Including a MS AS Alert at every startup saying
PopularScreensavers [FunWebProducts] Adware Bundler is
trying to install!

Also I am experiencing more and more problems with
programmes (Not Responding).. maybe I'm running too much
antispyware.. ?

Colin

 

[Bill Sanderson]

Nah--they aren't dead--not if you are getting prompts from Microsoft
Antispyware that they are trying to reinstall.

Check that you are on current definitions--current are 5683, as shown in
Help, about.

I recommend restarting in safe mode and re-scanning with Microsoft
Antispyware until a scan comes through clean.

Be sure to do full scans, rather than the Intelligent quickscan.

 

[Colin]

Yep, 5683 it is!
Auto-updates working fine for me, so far.

Thanks Bill,
I'll try the safe mode thing; I mostly do full scans
anyway.

In the meantime I Googled 'jetcar', found site offering
jetcar removal tool, got a blank page - which tells me
Flashgit sure ain't dead yet!

Webroot Spysweeper seems to have conflicts with MS AS.

SPAMfighter is giving me some grief as well; even Dr
Watson debugger can't cope and shuts down. I've an idea
Spamfighter changes IE settings... not sure..

Cheers, Colin

-----Original Message-----
Nah--they aren't dead--not if you are getting prompts from Microsoft
Antispyware that they are trying to reinstall.

Check that you are on current definitions--current are 5683, as shown in
Help, about.

I recommend restarting in safe mode and re-scanning with Microsoft
Antispyware until a scan comes through clean.

Be sure to do full scans, rather than the Intelligent quickscan.

More than 30 MS AS scans, some in Safe Mode, numerous
Hijackthis scans/ fix selected, using BHODemon to remove
offending BHO's and using RegEdit to delete known problems
And still.. flashget and funwebproducts adware shows up
on every scan with MS AS, Hijackthis scans show the same
<5 items reappearing.

BHODemon showed a flashget item lurking in GoogleBHO, so
I disabled GoogleBHO, and SpybotBHO for good measure
[alhough Spybot already switched off]; then ran a couple
more MS AS scans.. Still no fix!

I am assured that these 'adware' items are actually dead
and doing no harm to my system.

What I can't understand is:
Why do they keep coming back?
Including a MS AS Alert at every startup saying
PopularScreensavers [FunWebProducts] Adware Bundler is
trying to install!

Also I am experiencing more and more problems with
programmes (Not Responding).. maybe I'm running too much
antispyware.. ?

Colin

.

 

[colin]

Aha!
2nd Safe Mode Scan showed clean! [so did 3rd, 4th..]

While I was in safe mode I also Blocked unkown ActiveX's.
blocked Spybot and Spysweeper - Startup
Programmes,blocked Google and Spybot BHO's, returned all
IE Settings to Default and Saved as default, tried
blocking &Google Toolbar, it didn't block but
another 'unknown' toolbar "Internet Explorer Toolbar
&..." suddenly appeared below it, shown as blocked.
Also, interestingly, I blocked only two ActiveX's but an
extra one appeared on the list as blocked.

Reboot to normal mode, no pop-ups and a good clean scan.
Am I happy!
Unblocked Google BHO, rebooted ,rescanned - no problems;
Unblocked Spybot Startup, rebooted, Alert! Adware Bundler
trying to install ActiveX. Scan again shows Flashget and
FunWeb..AxtiveX's restored.

Well, this is narrowing things down a bit!

Tried blocking Spybot BHO, normal mode, but MS
AS 'allowed' it 'becuase of my previous preferences'.

Returned to Safe Mode:
Everything still blocked exactly as I left it and good
clean scan.
Tried blocking Getright BHO in there but MS AS Alowed it
as well.

Spysweeper Startup still blocked because it hinders MS AS
restoring IE Settings.
BHO [53707962-6F74-2D53-2644-206D7942484F} still
blocked 'cause I don't know what it is, or does, yet.

FYI:
MS AS instructions read "To un-block this... navigate to
Security Agents> Application Agents> View Blocked Events.
The correct path is navigate to APPLICATION AGENT> View
Blocked Events.
Actually, from the page that shows those instructions,
it's click Tools> Real-time Protection> Application
Agent> View Blocked Events.

Notwithstanding my less than ideal capacity fo following
directions:
I often find Microsofts own instructions a little
misleading, or just plain wrong!
E.G...To start in safe mode "when Select OS screen
appears press F8 and select option, press Enter.."
The 'Select OS screen' does not appear when I run only
one OS on this machine. I have to keep pressing F8 as
soon as anything appears on the screen until startup
options appears.
Select OS screen does appear when starting in Safe Mode,
but that is useless, at that point, with only one OS to
select.

My Beef, but I hope some of this helps.
It's now 2:37am, I'll get back to youse another time.
TTFN.

-----Original Message-----
Nah--they aren't dead--not if you are getting prompts from Microsoft
Antispyware that they are trying to reinstall.

Check that you are on current definitions--current are 5683, as shown in
Help, about.

I recommend restarting in safe mode and re-scanning with Microsoft
Antispyware until a scan comes through clean.

Be sure to do full scans, rather than the Intelligent quickscan.

More than 30 MS AS scans, some in Safe Mode, numerous
Hijackthis scans/ fix selected, using BHODemon to remove
offending BHO's and using RegEdit to delete known problems
And still.. flashget and funwebproducts adware shows up
on every scan with MS AS, Hijackthis scans show the same
<5 items reappearing.

BHODemon showed a flashget item lurking in GoogleBHO, so
I disabled GoogleBHO, and SpybotBHO for good measure
[alhough Spybot already switched off]; then ran a couple
more MS AS scans.. Still no fix!

I am assured that these 'adware' items are actually dead
and doing no harm to my system.

What I can't understand is:
Why do they keep coming back?
Including a MS AS Alert at every startup saying
PopularScreensavers [FunWebProducts] Adware Bundler is
trying to install!

Also I am experiencing more and more problems with
programmes (Not Responding).. maybe I'm running too much
antispyware.. ?

Colin

.

 

[Bill Sanderson]

Thanks Colin--looks like you have a good handle on it.

There are inconsistencies of various kinds in the docs --that's to be
expected in a beta where things are changing, I'm afraid.

I agree about the Safe mode instructions--those don't make any sense in most
installs.

I think 53707962-6F74-2D53-2644-206D7942484F is OK--looks like that is
SDHELPER, a legit piece of Spybot Search & Destroy.

Aha!
2nd Safe Mode Scan showed clean! [so did 3rd, 4th..]

While I was in safe mode I also Blocked unkown ActiveX's.
blocked Spybot and Spysweeper - Startup
Programmes,blocked Google and Spybot BHO's, returned all
IE Settings to Default and Saved as default, tried
blocking &Google Toolbar, it didn't block but
another 'unknown' toolbar "Internet Explorer Toolbar
&..." suddenly appeared below it, shown as blocked.
Also, interestingly, I blocked only two ActiveX's but an
extra one appeared on the list as blocked.

Reboot to normal mode, no pop-ups and a good clean scan.
Am I happy!
Unblocked Google BHO, rebooted ,rescanned - no problems;
Unblocked Spybot Startup, rebooted, Alert! Adware Bundler
trying to install ActiveX. Scan again shows Flashget and
FunWeb..AxtiveX's restored.

Well, this is narrowing things down a bit!

Tried blocking Spybot BHO, normal mode, but MS
AS 'allowed' it 'becuase of my previous preferences'.

Returned to Safe Mode:
Everything still blocked exactly as I left it and good
clean scan.
Tried blocking Getright BHO in there but MS AS Alowed it
as well.

Spysweeper Startup still blocked because it hinders MS AS
restoring IE Settings.
BHO [53707962-6F74-2D53-2644-206D7942484F} still
blocked 'cause I don't know what it is, or does, yet.

FYI:
MS AS instructions read "To un-block this... navigate to
Security Agents> Application Agents> View Blocked Events.
The correct path is navigate to APPLICATION AGENT> View
Blocked Events.
Actually, from the page that shows those instructions,
it's click Tools> Real-time Protection> Application
Agent> View Blocked Events.

Notwithstanding my less than ideal capacity fo following
directions:
I often find Microsofts own instructions a little
misleading, or just plain wrong!
E.G...To start in safe mode "when Select OS screen
appears press F8 and select option, press Enter.."
The 'Select OS screen' does not appear when I run only
one OS on this machine. I have to keep pressing F8 as
soon as anything appears on the screen until startup
options appears.
Select OS screen does appear when starting in Safe Mode,
but that is useless, at that point, with only one OS to
select.

My Beef, but I hope some of this helps.
It's now 2:37am, I'll get back to youse another time.
TTFN.

-----Original Message-----
Nah--they aren't dead--not if you are getting prompts from Microsoft
Antispyware that they are trying to reinstall.

Check that you are on current definitions--current are 5683, as shown in
Help, about.

I recommend restarting in safe mode and re-scanning with Microsoft
Antispyware until a scan comes through clean.

Be sure to do full scans, rather than the Intelligent quickscan.

More than 30 MS AS scans, some in Safe Mode, numerous
Hijackthis scans/ fix selected, using BHODemon to remove
offending BHO's and using RegEdit to delete known problems
And still.. flashget and funwebproducts adware shows up
on every scan with MS AS, Hijackthis scans show the same
<5 items reappearing.

BHODemon showed a flashget item lurking in GoogleBHO, so
I disabled GoogleBHO, and SpybotBHO for good measure
[alhough Spybot already switched off]; then ran a couple
more MS AS scans.. Still no fix!

I am assured that these 'adware' items are actually dead
and doing no harm to my system.

What I can't understand is:
Why do they keep coming back?
Including a MS AS Alert at every startup saying
PopularScreensavers [FunWebProducts] Adware Bundler is
trying to install!

Also I am experiencing more and more problems with
programmes (Not Responding).. maybe I'm running too much
antispyware.. ?

Colin

.

 

[Colin]

OK..Thanks Bill,
Now it seems to me, considering all that has gone before:

I have Spybot infected with a Adware Bundler and I have
Google Toolbar infected with Adware.

Now.. the best way to get rid of them?

I can, perhaps preferably in Safe M., Permanently Remove
Spybot. Then, quite simply download and install a new one.
MS AS won't block Google Toolbar, but it does seem to
block something attached to it, which, according to
BHODemon, is Flashgit. I could try 'Permanently Removing'
Google toolbar and see if that attachment disappears. I
can also easily get a new Google.

What do you think?

-----Original Message-----
Thanks Colin--looks like you have a good handle on it.

There are inconsistencies of various kinds in the docs -- that's to be
expected in a beta where things are changing, I'm afraid.

I agree about the Safe mode instructions--those don't make any sense in most
installs.

I think 53707962-6F74-2D53-2644-206D7942484F is OK-- looks like that is
SDHELPER, a legit piece of Spybot Search & Destroy.

Aha!
2nd Safe Mode Scan showed clean! [so did 3rd, 4th..]

While I was in safe mode I also Blocked unkown ActiveX's.
blocked Spybot and Spysweeper - Startup
Programmes,blocked Google and Spybot BHO's, returned all
IE Settings to Default and Saved as default, tried
blocking &Google Toolbar, it didn't block but
another 'unknown' toolbar "Internet Explorer Toolbar
&..." suddenly appeared below it, shown as blocked.
Also, interestingly, I blocked only two ActiveX's but an
extra one appeared on the list as blocked.

Reboot to normal mode, no pop-ups and a good clean scan.
Am I happy!
Unblocked Google BHO, rebooted ,rescanned - no problems;
Unblocked Spybot Startup, rebooted, Alert! Adware Bundler
trying to install ActiveX. Scan again shows Flashget and
FunWeb..AxtiveX's restored.

Well, this is narrowing things down a bit!

Tried blocking Spybot BHO, normal mode, but MS
AS 'allowed' it 'becuase of my previous preferences'.

Returned to Safe Mode:
Everything still blocked exactly as I left it and good
clean scan.
Tried blocking Getright BHO in there but MS AS Alowed it
as well.

Spysweeper Startup still blocked because it hinders MS AS
restoring IE Settings.
BHO [53707962-6F74-2D53-2644-206D7942484F} still
blocked 'cause I don't know what it is, or does, yet.

FYI:
MS AS instructions read "To un-block this... navigate to
Security Agents> Application Agents> View Blocked Events.
The correct path is navigate to APPLICATION AGENT> View
Blocked Events.
Actually, from the page that shows those instructions,
it's click Tools> Real-time Protection> Application
Agent> View Blocked Events.

Notwithstanding my less than ideal capacity fo following
directions:
I often find Microsofts own instructions a little
misleading, or just plain wrong!
E.G...To start in safe mode "when Select OS screen
appears press F8 and select option, press Enter.."
The 'Select OS screen' does not appear when I run only
one OS on this machine. I have to keep pressing F8 as
soon as anything appears on the screen until startup
options appears.
Select OS screen does appear when starting in Safe Mode,
but that is useless, at that point, with only one OS to
select.

My Beef, but I hope some of this helps.
It's now 2:37am, I'll get back to youse another time.
TTFN.

-----Original Message-----
Nah--they aren't dead--not if you are getting prompts from Microsoft
Antispyware that they are trying to reinstall.

Check that you are on current definitions--current are 5683, as shown in
Help, about.

I recommend restarting in safe mode and re-scanning

with
Microsoft

Antispyware until a scan comes through clean.

Be sure to do full scans, rather than the Intelligent quickscan.

More than 30 MS AS scans, some in Safe Mode, numerous
Hijackthis scans/ fix selected, using BHODemon to remove
offending BHO's and using RegEdit to delete known problems
And still.. flashget and funwebproducts adware shows up
on every scan with MS AS, Hijackthis scans show the same
<5 items reappearing.

BHODemon showed a flashget item lurking in GoogleBHO, so
I disabled GoogleBHO, and SpybotBHO for good measure
[alhough Spybot already switched off]; then ran a couple
more MS AS scans.. Still no fix!

I am assured that these 'adware' items are actually dead
and doing no harm to my system.

What I can't understand is:
Why do they keep coming back?
Including a MS AS Alert at every startup saying
PopularScreensavers [FunWebProducts] Adware Bundler is
trying to install!

Also I am experiencing more and more problems with
programmes (Not Responding).. maybe I'm running too much
antispyware.. ?

Colin


.

.

 

[Bill Sanderson]

OK..Thanks Bill,
Now it seems to me, considering all that has gone before:

I have Spybot infected with a Adware Bundler and I have
Google Toolbar infected with Adware.

Now.. the best way to get rid of them?

I can, perhaps preferably in Safe M., Permanently Remove
Spybot. Then, quite simply download and install a new one.
MS AS won't block Google Toolbar, but it does seem to
block something attached to it, which, according to
BHODemon, is Flashgit. I could try 'Permanently Removing'
Google toolbar and see if that attachment disappears. I
can also easily get a new Google.

What do you think?

I don't understand those appearances.

So--I like your idea of removing both Spybot Search & Destroy and the Google
toolbar, scanning (until clean), and then reinstalling those from
appropriate sources.

If you get an alarm on a fresh install of either of those apps, lets look at
the details. It is hard to believe it would be a false positive, cause we'd
have thousands of messages about it here.

 

[Colin]

Well the appearance might've been hidden among other
details in message "Re: Still cant ged rid of.. Cookin."

Put simply:
When Spybot is running at start-up the 'Adware Bundler..
installing ActiveX' Alert pops up.
When Spybot is blocked at startup - no pop-up.

MS AS won't block Google Toolbar, but attempts to block
it create another Toolbar in the list, which is blocked.
This appears strange to me also, except that BHODemon
finds a Flashget BHO located in Google file--reckons
it's 'benign' - I don't!
Unblocking Google BHO, though, seems safe.

I doubt it's a false positive. I had Flashget, which MS
AS kindly uninstalled for me. Those pop-up ads were
pretty annoying anyway, but I didn't realize how invasive
it could be. Popularscreensavers.. yes, well.. we live
and learn. And I've got heaps of other junk to get rid of
besides.

Now I have been working 23hrs straight on this, and I
would at least give myself a kiss on the cheek for that -
'cep my lips ain't that rubbery!

P.S. I could even get like MS AS at this rate... lot's of
GRUNT!

 

[Bill Sanderson]

Well the appearance might've been hidden among other
details in message "Re: Still cant ged rid of.. Cookin."

Put simply:
When Spybot is running at start-up the 'Adware Bundler..
installing ActiveX' Alert pops up.
When Spybot is blocked at startup - no pop-up.

MS AS won't block Google Toolbar, but attempts to block
it create another Toolbar in the list, which is blocked.
This appears strange to me also, except that BHODemon
finds a Flashget BHO located in Google file--reckons
it's 'benign' - I don't!
Unblocking Google BHO, though, seems safe.

I doubt it's a false positive. I had Flashget, which MS
AS kindly uninstalled for me. Those pop-up ads were
pretty annoying anyway, but I didn't realize how invasive
it could be. Popularscreensavers.. yes, well.. we live
and learn. And I've got heaps of other junk to get rid of
besides.

Now I have been working 23hrs straight on this, and I
would at least give myself a kiss on the cheek for that -
'cep my lips ain't that rubbery!

P.S. I could even get like MS AS at this rate... lot's of
GRUNT!

Great testimonial--good luck--let us know how it turns out?

 

[Colin]

Bill wrote: --good luck--let us know how it turns out?

It turns out like this:

I thought of it too late, but I could've tried running
the old 'infected' Spybot manually, sometime after bootup
to see what that did.. but:

In Safe Mode,
'Permanently Removed' Spybot and 'ghost' Google toolbar,
which was marked as 'unknown' and blocked, had exact same
ID number as the genuine but without CLSID: prefix - list
of registry keys might contain a clue, but...
Uninstalled Spybot, deleted all folders and files called
*spybot* About five in total, from programme files,
prefetch etc.. Search found one in all users\application
data, but I couldn't see it.
Tidied up the registry with RegSeeker, Thanks Ron.

Hijackthis scan all clean.

First Normal Mode MS AS scan found 'High'
threat 'Possible Browser Hijack' IE local page: and dealt
with that no problem - Webroot still blocked so MS AS
didn't freeze up on it.
Next Scan clean!!!

Downloaded, installed, updated and ran new Spybot - still
finds the same old 'DSO Exploit'..

Scan with MS AS... ALL CLEAN!!!

Google still works; I was looking for info on this
new 'Security Warning!' pop-up: "current webpage-
view.atdmt.com is trying to open website-
c:\windows\system32\shdoclc.dll - (y/n?)
What's that about? Appears every time I open IE or move
from page to page some places.

Anyway you blokes have earned a beer I reckon; Have one
on me! Well... no, on second thoughts..
Have Three.

SOME GRRUNT.T.T.

 

[Bill Sanderson]

Bill wrote: --good luck--let us know how it turns out?

It turns out like this:

I thought of it too late, but I could've tried running
the old 'infected' Spybot manually, sometime after bootup
to see what that did.. but:

In Safe Mode,
'Permanently Removed' Spybot and 'ghost' Google toolbar,
which was marked as 'unknown' and blocked, had exact same
ID number as the genuine but without CLSID: prefix - list
of registry keys might contain a clue, but...
Uninstalled Spybot, deleted all folders and files called
*spybot* About five in total, from programme files,
prefetch etc.. Search found one in all users\application
data, but I couldn't see it.
Tidied up the registry with RegSeeker, Thanks Ron.

Hijackthis scan all clean.

First Normal Mode MS AS scan found 'High'
threat 'Possible Browser Hijack' IE local page: and dealt
with that no problem - Webroot still blocked so MS AS
didn't freeze up on it.
Next Scan clean!!!

Downloaded, installed, updated and ran new Spybot - still
finds the same old 'DSO Exploit'..

Scan with MS AS... ALL CLEAN!!!

Google still works; I was looking for info on this
new 'Security Warning!' pop-up: "current webpage-
view.atdmt.com is trying to open website-
c:\windows\system32\shdoclc.dll - (y/n?)
What's that about? Appears every time I open IE or move
from page to page some places.

Anyway you blokes have earned a beer I reckon; Have one
on me! Well... no, on second thoughts..
Have Three.

SOME GRRUNT.T.T.

Thanks--I will! Ignore the DSO exploits if you are on XP SP2 and fully
patched. These are a bug in Spybot Search & Destroy, and won't show up once
a new version is released.