And I though I was a expert. Help needed

Like topic says. I really though I knew everything there i to know about spyware but aparently I was wrong. I have no bloody Idea how this thing got in on my PC.

When I enter a site I see a quick adress in the down left feeld that says. ad.se.doubleclick.net. THis must mean I have a spyware on my CP right? On some sites I even get popups.

I am using Firefox and popups should be impossible? I get liked to pages like www7.paypopup.com and after that I get a popup.

I always have Ad-wach running om my PC
I tryed to find something with Ad-aware Pro 0 spywares found
I tryed to find something with Spybot S&D 0 spywares found
I tryed to find something with Windows AntiSpyware (Beta) 0 Spyware found
I tryed to find something with Spy Sweeper 0 Spyware found

All of the lates updates.

Nothing nothing nothing. Yet i get popups???

 

Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Here ya go!

Like topic says. I really though I knew everything there i to know about spyware but aparently I was wrong. I have no bloody Idea how this thing got in on my PC.

When I enter a site I see a quick adress in the down left feeld that says. ad.se.doubleclick.net. THis must mean I have a spyware on my CP right? On some sites I even get popups.

I am using Firefox and popups should be impossible? I get liked to pages like www7.paypopup.com and after that I get a popup.

I always have Ad-wach running om my PC
I tryed to find something with Ad-aware Pro 0 spywares found
I tryed to find something with Spybot S&D 0 spywares found
I tryed to find something with Windows AntiSpyware (Beta) 0 Spyware found
I tryed to find something with Spy Sweeper 0 Spyware found

All of the lates updates.

Nothing nothing nothing. Yet i get popups???
Reply With Quote

 

Done!

 

Wow this forum does not work the way Im used to. Well I posted twice now. But the file is still the same

 

Is this log from Normal Mode or Safe Mode?

 

Normal Mode.

I can make a new one if you wish. I didn't pay to close attention to the instructions and had a few programs running.

 

Just a really small log, never have saw one without any services running. Anyway, can you explain your problem to me because you have nothing I see in your log.

 

Well Im not a big fan of having alot of prosses running.

Well for every page I enter I connect to a "ad.####" page.

For exampel if I enter www.loading.se
My browser also connects to ad.loading.se and/or ad.se.doubelklick.net

On more popular adress that i vist daily like Narutofan.com or Newgrounds.com I get popups. Often liked from paypopup. And as I said before I'm using firefox

Edit: It's not only doubleclick there is also some other adress ad.ariz.. something I only see this adress for ½ a secund or less.

 

First, lets give this a shot!

Please download DelDomains and unzip it to your desktop.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

Reboot and see if problem is resolved.

 

Done. But Nop.
Nothing changed

Here is to printscreens of what it looks like
http://upl.silentwhisper.net/uplfolders/upload0/another11.JPG

Text says: Connection rejected in atempt to connect to ad.double....

Edit added another image:
http://upl.silentwhisper.net/uplfolders/upload6/another1.JPG

See in the left down corner. Says "reciving data from ad.toma...."

 

Download & Run CCleaner

Run the first scan only!

Let me know if this takes care of it! If not im creating a fix.

 

Nop still the same problem. But a fix? That will take a lot of your time.

Still Im relly confused how this spyware enterd my PC. I've tryed so hard to keep my PC Spyware proof.

Oh and here are the img again. working URLs this time:
http://upl.silentwhisper.net/uplfolders/upload7/another111.jpg
http://upl.silentwhisper.net/uplfolders/upload7/another11.jpg

 

First, just to be safe create a backup of your registry:
Backing up the Windows registry

Click Start > Run > type regedit

Now navigate to the following keys and delete if any of these entries are found.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run(doubleclick.net)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Backup(doubleclick.com)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell ExtensionsApproved(doubleclick.com)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\URLPrefixes(doubleclick.com)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run(doubleclick.net)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Backup(doubleclick.com)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Backup(doubleclick.net)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell ExtensionsApproved(doubleclick.com)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell ExtensionsApproved(doubleclick.net)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\URLPrefixes(doubleclick.com)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\URLPrefixes(doubleclick.net)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Backup(doubleclick.com)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run(doubleclick.net)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Backup(doubleclick.com)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell ExtensionsApproved(doubleclick.com)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URLPrefixes(doubleclick.com)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run(doubleclick.net)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Backup(doubleclick.com)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Backup(doubleclick.net)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell ExtensionsApproved(doubleclick.com)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell ExtensionsApproved(doubleclick.net)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URLPrefixes(doubleclick.com)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URLPrefixes(doubleclick.net)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Backup(doubleclick.com)

After doing this reboot, if problems still remains then procede to the following:

Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates, now be sure you have ALL browsers CLOSED!

Please make sure ALL Browser Windows are Closed

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode.

 

... I feel like a truble maker

Nothing in the rigister was found. Not a singel one of them keys.
I did a full system scan with MS Antispyware NOTHING was found.. All browser windows was closed.

 

Click Start > Run > type regedit

Search for:

doubleclick

Post the EXACT entries that it finds. Right click and choose copy key name to do this.

 

Here I found something intresting:
HKEY_USERS\S-1-5-21-436374069-1563985344-1343024091-1003\Software\Microsoft\RAS Autodial\Addresses

Inside here lies all the stupid url i get like:

HKEY_USERS\S-1-5-21-436374069-1563985344-1343024091-1003\Software\Microsoft\RAS Autodial\Addresses\ad.doubleclick.net
HKEY_USERS\S-1-5-21-436374069-1563985344-1343024091-1003\Software\Microsoft\RAS Autodial\Addresses\ad.aftonbladet.se
HKEY_USERS\S-1-5-21-436374069-1563985344-1343024091-1003\Software\Microsoft\RAS Autodial\Addresses\ad.se.doubleclick.net
HKEY_USERS\S-1-5-21-436374069-1563985344-1343024091-1003\Software\Microsoft\RAS Autodial\Addresses\ad.aboutwebservices.com
HKEY_USERS\S-1-5-21-436374069-1563985344-1343024091-1003\Software\Microsoft\RAS Autodial\Addresses\ads.fortunecity.com

.. List goes on here about 70 of them popup adresses lies here.

 

Also in :

HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses

 

Make a backup of your registry in case you experience any problems with this.

Go back in the registry and delete the following keys:

HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial

HKEY_USERS\S-1-5-21-436374069-1563985344-1343024091-1003

See if problems remains after this, if not try deleting the other entries found.

 

Nothing happend. After deleting I restarted but, nothing. The broser is till connecting to "ad." pages.

Do you have any other Idea's? If not. I'll start formating

 

Nop, still the same.

THis is driving me nuts

 

No I have not, lets try it now shall we.

Shyura,
Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

 

Well finally some result. I no longer get any popups.

But the problem still remains that the browser tryes to connect to the "ad." adresses. Is this normal behavoir?

 

Yes DNS flushed hosts file back to original
no changes and the Popups are back..

 

This has been bugging me, I just want to be 100% sure so lets rule this out.

Download the Generic Detection Tool - NT/2000/XP

NOW:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.

 

Here you go:

 

Did you take a look at it?