MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 10-10-04, 22:21
gardner2332 gardner2332 is offline
Private E-2
 
Join Date: Oct 2004
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Angry ad-w-a-r-e nightmare

I'm having major problems getting rid of www.ad-w-a-r-e.com popups. I think I have followed all the steps in the sticky thread. I have ran Spybot, Adware, CWShedder, etc. I've ran HJT, but don't know what is safe to delete. Any help would be appreciated.

System specs:

Windows XP Home Edition Service Pack 2 (build 2600)
Processor
900 megahertz Intel Celeron
32 kilobyte primary memory cache
128 kilobyte secondary memory cache
Board: Asus CUW-AM/MEW-AM 2.02
BIOS: Phoenix Technologies LTD 3.02 08/24/2001
Reply With Quote
Sponsored links
  #2  
Old 10-10-04, 22:30
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,447
Thanks: 62
Thanked 7,694 Times in 4,148 Posts
Default Re: ad-w-a-r-e nightmare

Follow the guidelines in NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

and post you log as an attachment. There has been a few of these lately.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #3  
Old 10-10-04, 22:52
gardner2332 gardner2332 is offline
Private E-2
 
Join Date: Oct 2004
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: ad-w-a-r-e nightmare

Okay, my hjt log is attached.
Attached Files
File Type: txt hijackthis.txt (11.2 KB, 7 views)
Reply With Quote
  #4  
Old 10-10-04, 23:03
vernalex vernalex is offline
Private E-2
 
Join Date: Oct 2004
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: ad-w-a-r-e nightmare

On my website I have dedicated a section to malware removal and the major focus is spyware and adware. One of the chapters is about quick removal, but it's not as complete as the rest of the guide. Let me know if it helps at all.
Reply With Quote
  #5  
Old 10-10-04, 23:04
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,447
Thanks: 62
Thanked 7,694 Times in 4,148 Posts
Default Re: ad-w-a-r-e nightmare

You need to get HJT off your desktop and put it in its own directory. See the tutorial on it again.

Do you know what this is:
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #6  
Old 10-10-04, 23:05
jarcher's Avatar
jarcher jarcher is offline
I can't handle a title
 
Join Date: Jun 2004
Location: in morbid fear
Posts: 3,758
Thanks: 0
Thanked 2 Times in 2 Posts
Default Re: ad-w-a-r-e nightmare

Quote:
Originally Posted by chaslang
put the HJT application in its own folder and not on the desktop
and then run it again

reason being HJT needs to make backups and will only do that if it is in its own folder

oops sorry chaslang
was in mid post
Reply With Quote
  #7  
Old 10-10-04, 23:12
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,447
Thanks: 62
Thanked 7,694 Times in 4,148 Posts
Default Re: ad-w-a-r-e nightmare

Quote:
Originally Posted by jarcher
put the HJT application in its own folder and not on the desktop
and then run it again

reason being HJT needs to make backups and will only do that if it is in its own folder

oops sorry chaslang
was in mid post
No problem jarcher! But to be correct, HijackThis can create backups when you run it from the desktop. It will create a new folder called backups on your desktop. This is a bad idea though because it is too easy to delete (no one knows what it is for or where it came from) and it causes more desktop clutter. Those are the main reasons to not use the desktop.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #8  
Old 10-10-04, 23:15
jarcher's Avatar
jarcher jarcher is offline
I can't handle a title
 
Join Date: Jun 2004
Location: in morbid fear
Posts: 3,758
Thanks: 0
Thanked 2 Times in 2 Posts
Default Re: ad-w-a-r-e nightmare

I apalogize for the mis-information
and spelling :grin: :D
Reply With Quote
  #9  
Old 10-10-04, 23:19
gardner2332 gardner2332 is offline
Private E-2
 
Join Date: Oct 2004
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: ad-w-a-r-e nightmare

I have it in its own folder inside another folder on the desktop for easier access, but I can move it if it's a problem.
Reply With Quote
  #10  
Old 10-10-04, 23:21
jarcher's Avatar
jarcher jarcher is offline
I can't handle a title
 
Join Date: Jun 2004
Location: in morbid fear
Posts: 3,758
Thanks: 0
Thanked 2 Times in 2 Posts
Default Re: ad-w-a-r-e nightmare

it would be better if it was not on the desktop at all
like
C:\Program Files\ HJT
Reply With Quote
Sponsored links
  #11  
Old 10-10-04, 23:31
gardner2332 gardner2332 is offline
Private E-2
 
Join Date: Oct 2004
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: ad-w-a-r-e nightmare

I moved my HJT folder. Here's the new log.
Attached Files
File Type: txt hijackthis.txt (11.2 KB, 3 views)
Reply With Quote
  #12  
Old 10-10-04, 23:43
jarcher's Avatar
jarcher jarcher is offline
I can't handle a title
 
Join Date: Jun 2004
Location: in morbid fear
Posts: 3,758
Thanks: 0
Thanked 2 Times in 2 Posts
Default Re: ad-w-a-r-e nightmare

these I believe should be fixed


O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) -
http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) -
http://a840.g.akamai.net/7/840/5805/...m/audit/includ
es/ContentAuditControl.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


there are more that I am not to certain of

best wait for chaslang though as you see
I am not to good with information, as of yet. . .
I am working on it
Reply With Quote
  #13  
Old 10-10-04, 23:43
gardner2332 gardner2332 is offline
Private E-2
 
Join Date: Oct 2004
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: ad-w-a-r-e nightmare

I know what
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe
is. It's not really important. I don't use that service much anymore.
Reply With Quote
  #14  
Old 10-10-04, 23:46
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,447
Thanks: 62
Thanked 7,694 Times in 4,148 Posts
Default Re: ad-w-a-r-e nightmare

Okay! Then you should look for an uninstall in Add/Remove programs and uninstall it. There is a load of stuff for it in your log. I will leave it my analysis as it should be delete. It's up to you on what to do with MyPoints_PointAlert.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file missing) (HKCU)
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://behr.tea.state.tx.us/crystalr...ivexviewer.cab
O16 - DPF: {3D54FEE0-CE46-11D4-8288-0050BA6A5ABF} (WebPie2 Class) - file://C:\Program Files\Newsoft\Presto! Mr. Photo 3\CardExpr\iepiev20.cab
O16 - DPF: {41289E02-198A-4034-8CF9-5A8739A80D0D} (ReportPromptInfoDlg Class) - http://behr.tea.state.tx.us/crystalr...eterdialog.cab
O16 - DPF: {4B5C9C28-3806-47B5-89A9-93063323160F} (ReportExport Class) - http://behr.tea.state.tx.us/crystalr...ivexviewer.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://mirror.worldwinner.com/games/v42/shape/shape.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/...e/wordcube.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/main/dpcsysinfo.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://boxerjam.skilljam.com/ssp/SSP.cab
O16 - DPF: {934CC260-C5AA-43C4-A657-7B70C5B3DAE1} (Crystal Report Web Report Source Control 9) - http://behr.tea.state.tx.us/crystalr...ivexviewer.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.16/ttinst.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/...ditControl.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/mmed.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - http://isupport4.hp.com/motivedocs/l...er/MotUtil.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe

Reboot in safe mode and use Windows Explorer to delete:
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe

Boot in normal mode and post a new HJT log. Tell me how things are working.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #15  
Old 10-10-04, 23:54
gardner2332 gardner2332 is offline
Private E-2
 
Join Date: Oct 2004
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: ad-w-a-r-e nightmare

Okay, I will try this and let you know. Thanks.
Reply With Quote
Sponsored links
  #16  
Old 10-11-04, 00:03
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,447
Thanks: 62
Thanked 7,694 Times in 4,148 Posts
Default Re: ad-w-a-r-e nightmare

Let me know how it all worked when you finish.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #17  
Old 10-11-04, 00:27
gardner2332 gardner2332 is offline
Private E-2
 
Join Date: Oct 2004
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: ad-w-a-r-e nightmare

I did everything you suggested. Also, after I rebooted the second time, I uninstalled MyPoints and deleted the folder.
Popups still happening.
Do you know what this is:

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize


I've attached a log that I ran after I rebooted the last time.
Attached Files
File Type: txt hijackthis1.txt (7.7 KB, 1 views)

Last edited by gardner2332; 10-11-04 at 00:31.. Reason: adding hjt log
Reply With Quote
  #18  
Old 10-11-04, 00:48
gardner2332 gardner2332 is offline
Private E-2
 
Join Date: Oct 2004
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: ad-w-a-r-e nightmare

I have another question. I can not delete folders(Cookies, History, and Temporary Internet Files) from C:\windows\temp. It gives me this message:

Cannot delete index.dat:It is being used by another person or program.

Could this have anything to do with my problem?
Reply With Quote
  #19  
Old 10-11-04, 01:19
jarcher's Avatar
jarcher jarcher is offline
I can't handle a title
 
Join Date: Jun 2004
Location: in morbid fear
Posts: 3,758
Thanks: 0
Thanked 2 Times in 2 Posts
Default Re: ad-w-a-r-e nightmare

not likely
it can be removed in safe mode
but everytime you get online it creates an index
its no bigggie
and you don't need to delete the actual folders, just some of its contents

if you are using IE
just right click the IE icon on the desktop
and clear your cookies , files, history
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:41.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger