ad-w-a-r-e nightmare

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by gardner2332, Oct 10, 2004.

  1. gardner2332

    gardner2332 Private E-2

    I'm having major problems getting rid of www.ad-w-a-r-e.com popups. I think I have followed all the steps in the sticky thread. I have ran Spybot, Adware, CWShedder, etc. I've ran HJT, but don't know what is safe to delete. Any help would be appreciated.

    System specs:

    Windows XP Home Edition Service Pack 2 (build 2600)
    Processor
    900 megahertz Intel Celeron
    32 kilobyte primary memory cache
    128 kilobyte secondary memory cache
    Board: Asus CUW-AM/MEW-AM 2.02
    BIOS: Phoenix Technologies LTD 3.02 08/24/2001
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  3. gardner2332

    gardner2332 Private E-2

    Okay, my hjt log is attached.
     

    Attached Files:

  4. vernalex

    vernalex Private E-2

    On my website I have dedicated a section to malware removal and the major focus is spyware and adware. One of the chapters is about quick removal, but it's not as complete as the rest of the guide. Let me know if it helps at all.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to get HJT off your desktop and put it in its own directory. See the tutorial on it again.

    Do you know what this is:
    C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe
     
  6. jarcher

    jarcher I can't handle a title

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem jarcher! But to be correct, HijackThis can create backups when you run it from the desktop. It will create a new folder called backups on your desktop. This is a bad idea though because it is too easy to delete (no one knows what it is for or where it came from) and it causes more desktop clutter. Those are the main reasons to not use the desktop.
     
  8. jarcher

    jarcher I can't handle a title

    I apalogize for the mis-information
    and spelling :grin: :D
     
  9. gardner2332

    gardner2332 Private E-2

    I have it in its own folder inside another folder on the desktop for easier access, but I can move it if it's a problem.
     
  10. jarcher

    jarcher I can't handle a title

    it would be better if it was not on the desktop at all
    like
    C:\Program Files\ HJT
     
  11. gardner2332

    gardner2332 Private E-2

    I moved my HJT folder. Here's the new log.
     

    Attached Files:

  12. jarcher

    jarcher I can't handle a title

    these I believe should be fixed


    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) -
    http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/v6/brix6ie.cab

    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) -
    http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includ
    es/ContentAuditControl.cab

    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


    there are more that I am not to certain of

    best wait for chaslang though as you see
    I am not to good with information, as of yet. . .
    I am working on it
     
  13. gardner2332

    gardner2332 Private E-2

    I know what
    C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe
    is. It's not really important. I don't use that service much anymore.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Then you should look for an uninstall in Add/Remove programs and uninstall it. There is a load of stuff for it in your log. I will leave it my analysis as it should be delete. It's up to you on what to do with MyPoints_PointAlert.

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
    C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
    C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file missing) (HKCU)
    O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/v6/brix6ie.cab
    O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://behr.tea.state.tx.us/crystalreportviewers/activeXViewer/activexviewer.cab
    O16 - DPF: {3D54FEE0-CE46-11D4-8288-0050BA6A5ABF} (WebPie2 Class) - file://C:\Program Files\Newsoft\Presto! Mr. Photo 3\CardExpr\iepiev20.cab
    O16 - DPF: {41289E02-198A-4034-8CF9-5A8739A80D0D} (ReportPromptInfoDlg Class) - http://behr.tea.state.tx.us/crystalreportviewers/activeXViewer/reportparameterdialog.cab
    O16 - DPF: {4B5C9C28-3806-47B5-89A9-93063323160F} (ReportExport Class) - http://behr.tea.state.tx.us/crystalreportviewers/activeXViewer/activexviewer.cab
    O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://mirror.worldwinner.com/games/v42/shape/shape.cab
    O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
    O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v40/wordcube/wordcube.cab
    O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/main/dpcsysinfo.cab
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
    O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://boxerjam.skilljam.com/ssp/SSP.cab
    O16 - DPF: {934CC260-C5AA-43C4-A657-7B70C5B3DAE1} (Crystal Report Web Report Source Control 9) - http://behr.tea.state.tx.us/crystalreportviewers/activeXViewer/activexviewer.cab
    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
    5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.16/ttinst.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/mmed.cab
    O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - http://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
    O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe

    Reboot in safe mode and use Windows Explorer to delete:
    C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
    C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe

    Boot in normal mode and post a new HJT log. Tell me how things are working.
     
  15. gardner2332

    gardner2332 Private E-2

    Okay, I will try this and let you know. Thanks.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let me know how it all worked when you finish.
     
  17. gardner2332

    gardner2332 Private E-2

    I did everything you suggested. Also, after I rebooted the second time, I uninstalled MyPoints and deleted the folder.
    Popups still happening.
    Do you know what this is:

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize


    I've attached a log that I ran after I rebooted the last time.
     

    Attached Files:

    Last edited: Oct 11, 2004
  18. gardner2332

    gardner2332 Private E-2

    I have another question. I can not delete folders(Cookies, History, and Temporary Internet Files) from C:\windows\temp. It gives me this message:

    Cannot delete index.dat:It is being used by another person or program.

    Could this have anything to do with my problem?
     
  19. jarcher

    jarcher I can't handle a title

    not likely
    it can be removed in safe mode
    but everytime you get online it creates an index
    its no bigggie
    and you don't need to delete the actual folders, just some of its contents

    if you are using IE
    just right click the IE icon on the desktop
    and clear your cookies , files, history
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds