DCADS Pop up.

I keep having the DCADS pop up. I am in need of some help. So far I've done everything on your list except the AVG which is running right now for the 2nd time because i forgot the log last time. I will post that log as soon as it's done. It started when I got a "game" from a friend but it wasn't just games it was this crap too. It was about a week ago. Thanks so much in advance.

 

logs...

 

not trying to bump just post attachments...it wasn't working earlier.:confused

 

Hi the cackster!
Welcome to Major Geeks!


Please set your start up to normal system start. Go to Start / Run and type in msconfig. In the window that opens up, check the normal system start box, click on accept and okay.



Is the following folder one belonging to software you want to have?

C:\Documents and Settings\The Cack\Application Data\iLike


1) Go to add/remove programs and uninstall the below:


- Java 2 Runtime Environment, SE v1.4.2_03
- J2SE Runtime Environment 5.0 Update 10
- J2SE Runtime Environment 5.0 Update 11
- J2SE Runtime Environment 5.0 Update 4
- J2SE Runtime Environment 5.0 Update 6
- Messenger Plus! 3 & Sponsor
- Messenger Plus! Live & Sponsor (CiD)"
- Viewpoint Manager (Remove Only)
- Viewpoint Media Player
- Search Assistant Dcads <---if you get any message about needing to have a contract to uninstall this, just click cancel

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O2 - BHO: Dcads Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\dcads_sidebar.dll
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKUS\S-1-5-21-3241508311-760380368-3588314196-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Guest')

After you click fix, just close hijackthis.


5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

I got rid of that stupid ilike program a while back. and I noticed that you didn't ask me to delete the java update 9, was that intentional?
Also I couldn't find these: in the HJT thing.

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O2 - BHO: Dcads Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\dcads_sidebar.dll
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKUS\S-1-5-21-3241508311-760380368-3588314196-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Guest')

Well all seems to be running good, I haven't seen the DCADs pop up yet. and also should I change my boot back to selective?

 

Ok that bastard just popped up again.

 

Hi thecackster!
(language,please)

I think the dcads was gone when you redid your GetLogs.bat. Please run them again as per the last instruction in post #4 and let me see if it came back in.

Yes, I missed the other old Java. Please uninstall it too.

Selective mode of msconfig is a diagnostic tool. It's not a solution to having unwanted startup items. You need to get rid of items you don't want in startup. Here are some suggestions:

abri

 

Sorry about that , and as far as the dcads pop up, the actual window comes up but it won't connect the their server, so part of it is gone i think?

 

Hi the Cackster!

Let's see if we can find more instances of dcads:

Now Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection in your antuvirus program, please allow this to run)

In the dialog that opens copy and paste in the following:

dcads

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and attach it to this thread.

abri

 

here ya go, looks like 6 of em

 

Did that get rid of the popup window?

I would like the MGlogs.zip one more time. Here are the instructions again:
Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates.
(the tool is in the folder, the logs are directly under C)
If this has resolved the problem, I will post you a final set of clean-up instructions.

abri

 

it just searched i thought. I didn't delete them? I am pretty sure it is still coming up.

 

Run it again and see if it finds anything. If it does, please save the contents of the search and attach them here.
Thanks.
abri

 

I think it's the same 6.

 

Hi The Cackster!

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

3) Now run Avenger.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

nevermind I cant read... I have to redo some things....

 

Ok it's still coming up, but it has no content, all it says is "hash verification failed:" so we are getting somewhere.

 

thecackster,

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry. Let me know if you get a success message!

Let me know if you get a success message for the patch!

 

it was successful.

 

and your computer?

 

ok well it's a totally different window now. it just used to be meet singles junk, i don't know if it's cuz people are usually on myspace on the computer, and I was on a photoshop web site today. but it was a dex website add, like a search for my home town. but it didn't come up for a while, but it is still here. sorry it took so long, i just wanted to make sure it was gone.
Thanks,
Kyle

 

Hi Kyle,
Do you mean that dcads appears to be gone and replaced by something else? It would be good if you can run the GetLogs.bat again. I would like to look at those, and then I may give you one or two scans that are more lengthy but get alot of stuff missed by other programs.
abri

 

No that it's still DCADS but it was popping up with different content. But when I'm on myspace, it brings up the same thing, so I think it's website specific to what content it shows. but it's still here. that would be awesome if you could do that, I will run them tonight while i'm asleep.

 

Hi Kyle,

Is Messenger Plus! Live in add/remove programs? If so, please uninstall it. If you don't find it under add/remove programs with the rest of the programs, please click on the windows components button in that same add/remove window and see if you can find it in the list there. If so, uncheck it.

Go back to post 9, please, and rerun the same search. I don't find anything in your logs this time. Did you run GetLogs.bat before you noticed the ads coming back? If so, rerun the GetLogs.bat again so I can see if it is showing up.

Finally, as promised, please go to Alternate Scans and download and run the 15-day trial version of CounterSpy. This is a lengthy scan with a large download for the installation. Remember to have it fix everything it finds. This may or may not find anything. Attach the log when you're finished.

abri

 

Thanks, Yea it is. I will uninstall it, it's been on my comp for ever, but I will trash it i don't use messenger anymore anyways. Um yea that getlogs.bat was ran just before I posted the last message. I'll run that tonight and get the log up first thing in the morning. Thanks for the help.

 

alright here is the log. I'm not sure if its gone yet, I haven't seen it yet.... but if I do I will post again...

 

Hi Kyle,
Frustrating, but here it is. The Counterspy log shows everything it detected but nothing it fixed. In my instructions, I asked you to have it fix (delete or quarantine) everything it finds. In light of how much it found, I think it would be well worth your time to rerun it and have it fix everything it finds this time! I think you'll notice some improvement in your computer after that.
abri

 

oh sorry, i did quarantine or delete everything actually. That is just the only log I could find. haha. But I've been on the net all morning and I haven't noticed the pop up yet.

 

well, your log was 87 pages long LOL

Please remember that Counterspy is a trial version. Please go to add / remove programs after a few days (to make sure everything did actually get fixed) and uninstall it. After you uninstall it (very important!) look for folders left behind. Look in the following places and delete any you find:

C:\Documents and Settings\Your Name\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

If everything seems okay now, please do our final cleaning instructions.

 

ok well it did show up again, here is the getlogs.bat

 

Kyle,
Please run Counterspy again and have it fix everything it finds. If it did fix everything already, then it won't find anything this time and should run faster. However, when a Counterspy log says detected, then that means it didn't fix anything otherwise it would say quarantine or deleted in the log. I'm not sure with Counterspy if you have to check this option before it starts or at the end, but it's necessary to check something.

Also, there are temporary files in your temp files from the 11th of January. I asked you on the 16th to run ATF Cleaner, so the most recent temp files should be from the 16th. If we delete something from your system and leave the temporary files, then it will just come back again. Please run either ATF Cleaner or CCleaner. For the future, you need to run CCleaner at the default setting with the Windows tab on top, every time you close down your browsers.

Please go back to post 9 and rerun the registry search. There are no entries for dcads in your logs.

There's a .tmp file isRS-000.tmp in your first logs from the 8th of January which must be about when this problem started. Dcads was installed on the 7th. The .tmp file relates to a toolbar called Trellian. I don't see this toolbar in your system, but I wondered if you remember downloading something like that on the 8th or installing something that might have had the toolbar with it. iLike came in on the 5th, dcads on the 7th and Flickr on the 9th. Are these all things you put on your computer?

abri

 

i'll run that, but ilike and flickr were things i put on there, but not dcads, it was piggy backing something else. I removed ilike and i removed it the same day from add/remove, but that never means its gone . I will post up the stuff when it's done. Thanks.

 

Yes, it must be attached to something! If you uninstalled the program iLike, then you can remove the following folder. See if there's anything inside of it. If so, delete the contents before deleting the folder.

C:\Documents and Settings\The Cack\Application Data\iLike

I think it must have come onto your computer before the 9th, because on the 8th it looks like you put on a bunch of ad removal programs (AdAware, Spybot). It always helps to track down adware by knowing as closely as possible when it might have been installed.
If you ever run into a problem like this again, note as closely to the minute as possible when you first noticed it. If you catch something coming onto your system, you can sometimes get rid of it by going back to the previous restore point. On the other hand, I don't think running Counterspy was a bad idea.

abri

 

Here are the logs... The counter spy only found 2 this time. also 2 registry hits.

 

Okay Kyle,
Let's get rid of those two files again.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry. Let me know if you get a success message!

Next I would like to know what the following link goes to? Right click on it and find the pathway in properties. Then run a registry search again and put in the word Adware. See what kinds of things come up on that.

C:\Documents and Settings\The Cack\Desktop\Adware Away.lnk

abri

 

I don't see an adware away.ink i see a .exe..... I have it set so you can see all hidden files as well:confused when i right click and get properties on that all i get is something saying it's text.

 

Hi Kyle,

Go to add/remove programs and uninstall Adware Away. After it's been uninstalled, do a search in Windows Explorer (NOT a registry search!!) and delete any leftovers in Windows Explorer that relate to this program. If you're not sure, ask.

abri

 

well good news is I haven't seen it all day. so i'll keep my fingers crossed. I would also like to thank so you so much. I have a couple of questions.
1. Can I hide my files again? the thumbs.db icons are annoying. haha.
2. Should I put it back to normal boot or what ever?
3. I am A+ certified if I can help in other sections is that ok? or should I just let them handle it.
4. Where did you learn all of this? haha.

Thanks again!!!,
Kyle

 

Hi Kyle,
I'm glad to hear things are better. You can post in any of the other forums and I'm sure that everyone would be happy for your participation. It's always good when we find people who don't give up easily.

How I learned all this. ... I'm still learning. A lot of the procedures and the tools were developed by Chaslang. There are also malware schools on the internet where it's possible to get methodical training.

I will post you a final set of clean-up instructions which includes setting a clean restore point. You can reset your files to hidden by doing the reverse of what was explained in the READ & RUN ME. Your computer should stay in normal startup mode, which is where it should be now. The other settings are for diagnostic purposes and if you use the other settings, like diagnostic or selective, then when you remove a program, it leaves a lot of dead files. If you don't want things in your startup menu, you can take a look at the instructions here:

For your final clean-up to remove the tools and logs we used and for some further instructions about system restore, please do the following:

abri

 

everything went very well. Thanks for the good software. I was also wondering why msgplus was bad? I never had any problems with it?

 

The similarities of the messengers makes it difficult to keep them straight. There is MSN Messenger and Windows Live Messenger, both of which are good. Then there is Windows Messenger, which is an internal messenger for people who are networked and this is almost never used. It is an entry point for malware and we always ask people to uninstall it using the disable tool. Then there is Messenger Plus Live which comes with a lot of malware. This can be avoided by installing it in a certain way, but very few people manage to do this. We always ask people to uninstall this one as well.

Best of luck with your computer!
abri