Annoying adserver.sharewareonline, etc.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by filbert, Dec 11, 2004.

  1. filbert

    filbert Private E-2

    I've got some type of spyware or something on my computer and I cannot remove it. I've looked at many removal instructions on people with a similar problem and it just doesn't dissapear. I've run Ad-Aware, SpyBot, Norton, HIjackTHIS, and the pop-ups don't end. The first pop-up is usually from some address like adserver.sharewareonline... From there lots of other random pop-ups randomly appear. Please help. Here is a list of processes running on my computer.

    iPodService.exe
    taskmgr.exe
    Money Express.exe
    GoogleDesktop.exe
    ctfmon.exe
    msmsgs.exe
    SYSWB6.exe
    iTunesHelper.exe
    winvnc4.exe
    Rtvscan.exe
    svchost.exe
    qttask.exe
    MDM.EXE
    DefWatch.exe
    cvpnd.exe
    alg.exe
    spoolsv.exe
    ccEvtMgr.exe
    ccSetMgr.exe
    svchost.exe
    svchost.exe
    svchost.exe
    explorer.exe
    rundll32.exe
    svchost.exe
    Ivpsvmgr.exe
    lsass.exe
    services.exe
    winlongon.exe
    csrss.exe
    smss.exe
    GoogleDesktopIndex.exe
    iexplore.exe
    GoogleDesktopCrawl.exe
    System
    System Idle Process
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should attempt to follow ALL the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    If still having a problem after the above, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.


    By the way, I would suspect winlongon.exe as being bad.
     
  3. filbert

    filbert Private E-2

    Still getting annoying pop-ups

    I did all of the scans and things that were in those threads and most scans didn't find anything. (probably because I had run several of those scans several times before coming here). I would be extremely grateful to any help. I am still getting annoying pop-ups. A few of the addresses and things that I'm getting are:

    http://adserver.sharewareonline.com/AdServer/MemTurbo/Adm/ad080504.htm

    ads.clickagents.com

    e.rn11.com/a/a174-admed-ron

    http://www.americansingles.com/default.asp?p=7090&PRM=22138&LGID=1918Ximproper

    http://inqwire.com/homepage.asp?group=Sinaloah&pops=yes&lpt=5

    s.dkoptimizer.com

    Here's my HIjackTHIS log.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Still getting annoying pop-ups

    Your OS and probably IE version are seriously out of date. You MUST get yourself updated when we complete the fixing of your current problems. It is imperative to do this to help avoid future problems!


    C:\WINDOWS\System32\SYSWB6.exe -- Did you install this --> We-Blocker - gives parents the opportunity to monitor their children's Internet access and provide them with age-appropriate content, while filtering out sites that contain adult content

    There are several ads that come up just accessing there website. Like:
    - media.fastclick.net
    - www.goldnewsweekly.com/ads
    - www.adtrader.com/ads/adserve.asp

    I'm not sure if I would trust this We-Blocker yet, but I don't know anything about them.

    I'm not sure what this kwaary.exe program is or who is loading it. It does not show being loaded in your log. Do you know what it is?
    C:\WINDOWS\System32\kwaary.exe


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O1 - Hosts: 204.244.184.143 SafeWeb.com
    O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch


    Base on problems we are having with hosts file hijacking lately, those O1 lines (at least some of them), may come right back.

    Now reboot, get a new HJT log and post it here. How are things running.

    You need to read this: How to Protect yourself from malware!
    I would recommend all steps but do not update to WinXP SP2 if you have any malware problems. You can however update the WinXP SP1a.
     
  5. filbert

    filbert Private E-2

    Ok. Thanks for your help. Things do seem to be running a little better, but the pop-ups continue. I downloaded the firewall and it continuously is asking me for permission for everything. I'm not sure what to give permission to. I have noticed that according to the firewall, the rundll.exe and winlogon.exe periodically try to access www.ad-w-a-r-e.com. When I terminate those processes, they come back. Here's another HIjackTHIS log. Thanks.
     

    Attached Files:

  6. filbert

    filbert Private E-2

    Oh, and I forgot to add that we have had We-Blocker for some time now and it has never given us these problems up to now. I know that they bombard you with ads when you visit their site, but I think that's all that they do.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please check this site out the have a procedure that appears to cure the O1 - Hosts: 69.20.16.183 problems.

    http://forums.techguy.org/showthread.php?t=304499&page=1&pp=15

    Let us know if it works for you.

    Yes for a firewall you have to determine what to allow access to and from your computer. It does take a little effort determining what to do for each item that pops up.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds