SyncroAd.exe and WinSync.exe

These two processes won't go away. I did EVERYTHING you guys said to according to the Spyware and Trojan Removal topic in the forums and I ran HiJackThis. I've attached my log file for it too. Please get back to me on this matter and tell me any possible way to fix it.

 

Hi cthompson,

Take a look in Add or Remove Programs to see if you are able to uninstall the following:

New.Net
My Way
My Bar
SyncroAd
WinSync
If they are not there, you'll need to search for them and delete them!

Then, have HJT fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R3 - Default URLSearchHook is missing

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll (file missing)

O2 - BHO: C:\WINDOWS\lbbho.dll - {E23D905F-D392-4E45-84CC-71920E2ABDF1} - C:\WINDOWS\lbbho.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

If this looks good to you, then leave it:
O14 - IERESET.INF: START_PAGE_URL=http://help.cableone.net

For the 016 items, you should recognize the ones you want or need. This one looks kind of iffy:
O16 - DPF: {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} - http://tafbar.com/taf.cab

By the way, I left out Wild Tangent. Personally, I'd dump it.

This should get you headed in the right direction. I don't want to leave you hanging, but I've got to get some sleep. (I'm spending waaaay too much time in this forum )I imagine chaslang or M.A. will check in on you though.

Best luck,

PP

 

Thanks Chas
Another swing and miss for the PhilliePhan and another reason I should probably hang in the background - bad advice is worse than none at all!

cthompson - I looked up tafbar and it looks like something you probably wanted. However, it also seems to be the type of thing that begs for malware problems.

Best,

PP

 

I just got rid of these myself. Ran the posted process for getting rid of spyware and trojans. I had to boot to safe mode and find the files SyncroAd.exe and WinSync.exe and delete them manually. I also ran msconfig to check and make sure they were not checked to run at startup.

 

I would dump these too as they are listed as adware.

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

 

Hello,

I had the same problem as you all, getting rid of WinSync.exe and SyncroAd.exe. This thread has been viewed over 3500 times. HijackThis detected the registry Run entry but was unable to remove it. I could not find any fix when searching the net and this forum other than booting into safemode and deleting the files manually.

I tried to examine what was going on more closely: If the Run registry entry is deleted (as HijackThis tries to) it is immediately restored by one of the two running processes WinSync.exe and SyncroAd.exe. If one of these two processes is killed, the killed process is immediately restarted again by the other process, and thus impossible to kill in the usual way.

The solution is to kill both at the same time: Using ProcessExplorer I found that SyncroAd is a child process of WinSync. The solution is therefore surprisingly simple: Using the task manager, kill WinSync but select "End Process Tree" instead of just "End Process". Viola - both processes are gone and the registry entry and exe files can be deleted without problems. The DLL file could not be deleted until after a restart though.

Can someone post this info to the makers of HijackThis and similar programs ? I did not find any place to submit this fix. SpyBot S&D does not detect this pest at all.

 

Hi Steinr,

You are right - this is a popular problem these days.

I like your process Perhaps you should take it to PC HELL:
http://www.pchell.com/

I find that site to be helpful and its creator might be interested in your work.

Regards,

PP

 

@ steinr

tnx my man, that did the trick. END PROCESS TREE on WINSYNC and after that same on SYNCROAD.. genius IS in simple sollutions i guess.. tnx alot

btw, nice forum u got here (@ admins)

 

I've got a twist on the Winsync.exe problems you guys have been dealing with. While browsing the net a few hours ago and running a McAfee firewall, it popped up saying it detected a trojan and the trojan had been deleted. Obviously this was not the case as winsync now infects my computer. End process tree is not working, but here's the kicker...I don't have a run option to get into the registry neither in safe mode or standard, nor do I have any programs listed under "add/remove programs" There are 44 processes running including eber.exe, addtp.exe, lsass.exe, atltt.exe, amongst others I've never heard of. The only folder I can get into is the My Computer folder. When I click on "Start/all programs", nothing comes up. None of the shortcuts on the desktop work either, as I was trying to get into McAfee and see if I could clean this off. Appreciate any help you guys have...