How do I remove DCADS popups from my system?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Renreq, Dec 30, 2007.

  1. Renreq

    Renreq Private E-2

    For the first time in over 20 years, I used LimeWire Pro to download and install a game called Peggle from PopCap games. Upon installing the setup.exe file, I was presented with another installation process asking me if I wanted to install some ad software. I declined the offer, but the program went ahead installed itself as was another similar installation routine.

    Ever since then, I have been plagued by popup ads from DCADS and Superiorads, and once in a while a song will play with lyrics that go "I like the way you move". I ran the Norton Anti-Virus but it only detected a virus called Downloader, which it claims to have resolved. I finally downloaded and purchased Spyware Bot and it removed quite a bit of spyware and cookies that I was never aware of, but it has not been able to remove the ones that make reference to dcads. It claims to successfully quarentine those files and remove them from the Windows registry, but they remain.

    I need step by step support to get rid of this problem. So far, I have managed to erase all instances of dcads and superiorads from my system, but they remain in my registry and I don't know what to do.
    :cry
     
    Renreq, Dec 30, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Dec 31, 2007
    #2
  3. Renreq

    Renreq Private E-2

    I just finished going through the cleansing process and it appears that the dcads popups may have been eliminated. At startup, I am still seeing what appears to be a popup window that wants to open but then just closes. I am attaching the three log files that you requested, but i was unable to properly create the AVG log because my assistant may have overlooked the option, so i am attaching a JPEG that shows what files were quarantined. thank you.
     

    Attached Files:

    Renreq, Dec 31, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First Disable Spybot's TeaTimer as requested in the READ & RUN ME
    • Run Spybot and click Mode
    • Select Advanced Mode.
    • Then click Tools and select Resident.
    • Now in the right window pane, uncheck TeaTimer.
    • Also while this is open, in the left column now select IE Tweaks
    • and then in the right pane make sure all the Miscellaneous locks are unchecked.
    • Now quit Spybot!
    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_04
    Java(TM) 6 Update 2
    Kazaa Lite K++ v2.4.3 <-- should have been uninstalled in step 0 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: superiorads - {4AD44D3E-7316-4251-B754-9B10EC96AF92} - C:\WINDOWS\system32\sprt_ads.dll
    O2 - BHO: browser optimizer superiorads - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - C:\WINDOWS\system32\spads.dll (file missing)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\sprt_ads.dll" DllStart
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    chaslang, Dec 31, 2007
    #4
  5. Renreq

    Renreq Private E-2

    I cannot begin to thank you enough for all the support that you have shown me. I owe you at least a burger, fried chicken, or something that can be considered a satisfactory meal. The initial help you offered appears to have disabled the DCADS pop-ups from appearing so often, but the remaining references kept causing the occasional little pop-up that would disappear just as quickly as it appeared. Only once in the past few days since the initial clean up have I had a complete pop-up appear, but hopefully this second cleanup did the trick.

    I have attached the files that you requested. If you have paypal, I would be happy to send you a little something for all your trouble.

    Sincerely,
    Rene Requenez
     

    Attached Files:

    Renreq, Jan 5, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Avenger did not work properly and why did you attach a file named backup.zip?

    Since Avenger did not work, please locate the below files and delete them yourself. Some of them may be gone already.
    C:\WINDOWS\popcinfot.dat
    C:\WINDOWS\popcreg.dat
    C:\WINDOWS\system32\superiorads-uninst.exe
    C:\WINDOWS\system32\sprt_ads.dll
    C:\WINDOWS\system32\spads.dll

    Also HijackThis did not get the below fix. Run HJT the same way and fix the below lines:
    O2 - BHO: (no name) - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - (no file)
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe


    Let me know if you have a problem deleting any of the above. Then attach a new MGlogs.zip file after running GetLogs.bat again.

    Also have you seen anymore popups?


    Yes I do and that is purely at your discretion. You can PM me about it if you like.
     
    chaslang, Jan 6, 2008
    #6
  7. Renreq

    Renreq Private E-2

    I am delighted to announce that I followed the recent steps you gave me and didn't encounter any problems. I should note that I nearly skipped the step where I'm suppose to delete the 2 entries with Hijack because this portion of the email I received was strangely missing.

    Anyway, I haven't had a single pop-up or any type of unusual experiences, so I'm thrilled. I still experience somewhat sluggish boot-up, but that's probably because I'm still booting in Normal mode and not in Selective Startup.

    How do I PM you?

    Thanks a bunch!
     

    Attached Files:

    Renreq, Jan 6, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are clean but I suggest you do the below.

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Rene Requenez\Local Settings\Temp

    Now run Ccleaner!


    You should never be using Selective Startup mode except tor when you are doing temporary debugging of problems.

    How to deal with startup processes.

    • First you should uninstall any software that you do not use.
    • Second if you have processes still trying to load at startup even though you have uninstalled them. You can simple use HijackThis to easily remove the startup. That way you will not have to manually edit the registry.
    • Third for software you do not want to uninstall but you don't want it to load at startup, look in the program for an option not to load when Windows starts and disable it this way. If you cannot find an option like that you have two possible actions:
      • if you never want it to load at startup, use HJT to permanently remove the startup.
      • if you sometimes want it to load at startup, use a program like Startup CPL to enable or disable as you see fit.


    Just click on my name in one of my messages and you will see an option to send a Private Message (PM).
     
    chaslang, Jan 6, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds