ad-w-a-r-e nightmare

[gardner2332]

I'm having major problems getting rid of www.ad-w-a-r-e.com popups. I think I have followed all the steps in the sticky thread. I have ran Spybot, Adware, CWShedder, etc. I've ran HJT, but don't know what is safe to delete. Any help would be appreciated.

System specs:

Windows XP Home Edition Service Pack 2 (build 2600)
Processor
900 megahertz Intel Celeron
32 kilobyte primary memory cache
128 kilobyte secondary memory cache
Board: Asus CUW-AM/MEW-AM 2.02
BIOS: Phoenix Technologies LTD 3.02 08/24/2001

[chaslang]

Follow the guidelines in NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

and post you log as an attachment. There has been a few of these lately.

[gardner2332]

Okay, my hjt log is attached.

[vernalex]

On my website I have dedicated a section to malware removal and the major focus is spyware and adware. One of the chapters is about quick removal, but it's not as complete as the rest of the guide. Let me know if it helps at all.

[chaslang]

You need to get HJT off your desktop and put it in its own directory. See the tutorial on it again.

Do you know what this is:
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe

[jarcher]

Quote:

Originally Posted by chaslang

Follow the guidelines in NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

put the HJT application in its own folder and not on the desktop
and then run it again

reason being HJT needs to make backups and will only do that if it is in its own folder

oops sorry chaslang
was in mid post

[chaslang]

Quote:

Originally Posted by jarcher

put the HJT application in its own folder and not on the desktop
and then run it again

reason being HJT needs to make backups and will only do that if it is in its own folder

oops sorry chaslang
was in mid post

No problem jarcher! But to be correct, HijackThis can create backups when you run it from the desktop. It will create a new folder called backups on your desktop. This is a bad idea though because it is too easy to delete (no one knows what it is for or where it came from) and it causes more desktop clutter. Those are the main reasons to not use the desktop.

[jarcher]

I apalogize for the mis-information
and spelling :grin: :D

[gardner2332]

I have it in its own folder inside another folder on the desktop for easier access, but I can move it if it's a problem.

[jarcher]

it would be better if it was not on the desktop at all
like
C:\Program Files\ HJT

[gardner2332]

I moved my HJT folder. Here's the new log.

[jarcher]

these I believe should be fixed


O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) -
http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) -
http://a840.g.akamai.net/7/840/5805/...m/audit/includ
es/ContentAuditControl.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


there are more that I am not to certain of

best wait for chaslang though as you see
I am not to good with information, as of yet. . .
I am working on it

[gardner2332]

I know what
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe
is. It's not really important. I don't use that service much anymore.

[chaslang]

Okay! Then you should look for an uninstall in Add/Remove programs and uninstall it. There is a load of stuff for it in your log. I will leave it my analysis as it should be delete. It's up to you on what to do with MyPoints_PointAlert.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file missing) (HKCU)
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://behr.tea.state.tx.us/crystalr...ivexviewer.cab
O16 - DPF: {3D54FEE0-CE46-11D4-8288-0050BA6A5ABF} (WebPie2 Class) - file://C:\Program Files\Newsoft\Presto! Mr. Photo 3\CardExpr\iepiev20.cab
O16 - DPF: {41289E02-198A-4034-8CF9-5A8739A80D0D} (ReportPromptInfoDlg Class) - http://behr.tea.state.tx.us/crystalr...eterdialog.cab
O16 - DPF: {4B5C9C28-3806-47B5-89A9-93063323160F} (ReportExport Class) - http://behr.tea.state.tx.us/crystalr...ivexviewer.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://mirror.worldwinner.com/games/v42/shape/shape.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/...e/wordcube.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/main/dpcsysinfo.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://boxerjam.skilljam.com/ssp/SSP.cab
O16 - DPF: {934CC260-C5AA-43C4-A657-7B70C5B3DAE1} (Crystal Report Web Report Source Control 9) - http://behr.tea.state.tx.us/crystalr...ivexviewer.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.16/ttinst.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/...ditControl.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/mmed.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - http://isupport4.hp.com/motivedocs/l...er/MotUtil.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe

Reboot in safe mode and use Windows Explorer to delete:
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe

Boot in normal mode and post a new HJT log. Tell me how things are working.

[gardner2332]

Okay, I will try this and let you know. Thanks.

[chaslang]

Let me know how it all worked when you finish.

[gardner2332]

I did everything you suggested. Also, after I rebooted the second time, I uninstalled MyPoints and deleted the folder.
Popups still happening.
Do you know what this is:

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize


I've attached a log that I ran after I rebooted the last time.

[gardner2332]

I have another question. I can not delete folders(Cookies, History, and Temporary Internet Files) from C:\windows\temp. It gives me this message:

Cannot delete index.dat:It is being used by another person or program.

Could this have anything to do with my problem?

[jarcher]

not likely
it can be removed in safe mode
but everytime you get online it creates an index
its no bigggie
and you don't need to delete the actual folders, just some of its contents

if you are using IE
just right click the IE icon on the desktop
and clear your cookies , files, history