Help Pls: Winform.Exe Adware can't be deleted!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by dragonfly, Feb 12, 2005.

  1. dragonfly

    dragonfly Private E-2

    Hi folks!

    I've picked up an adware or apyware named "winform.exe" which resides in the "C:\Windows FormatAd" folder under the Program Files section. The program is also in the Startup folder and I can't delete it no matter what I do or run?

    Have used Spybot, AdAware, Norton's AntiVirus, Spy Sweeper, SpyWare Doctor but no luck!

    In Spy Sweeper, the alert shows up but when you remove Windows FormatAd, it just reappears after 3 seconds!

    It's beginning to cause some unusual problems on startup with XP taking longer than usual to load up and the background image being only half loaded!

    PLUS I have now also lost the ability to launch the WinXP Help files!?

    Can some helpful soul save me with a solution? I have the HijaakThis log file if required.

    Also, is there any info. on how to READ contents on HijaakThis logs on the web somehwere? I reckon if I learn what's what, I might save myself the STRESS in future!

    THANKS in anticipation! ALL HELP GREATLY APPRECIATED!!

    Cheers all,
    DragonFly
     
    dragonfly, Feb 12, 2005
    #1
  2. PhilliePhan

    PhilliePhan Guest

    Hi DragonFly,

    So, you're saying that you cannot delete the C:\Program Files\Windows FormatAd folder? Did you try in Safe Mode? Something keeps reinstalling it?
    Here is the standard speech. . . .

    Generally, it is a good idea to start with the Cleanup Tutorial HERE:

    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

    There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

    Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

    Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
    Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I’ve been tied up with work lately and cannot visit this forum too often these days, but somebody will try to take a look when they get a chance.

    Best luck :)
    PP
     
    PhilliePhan, Feb 13, 2005
    #2
  3. dragonfly

    dragonfly Private E-2

    Hi PP,

    GRATEFUL THANKS for your response & solution! :)

    I followed your advice and it looks like the problem is fixed however I am not 100% sure so I am attaching the HijaakThis log so perhaps that will show you more?

    Many thanks again for your help! Appreciate it!

    Cheers
    Dragonfly
     

    Attached Files:

    dragonfly, Feb 13, 2005
    #3
  4. dragonfly

    dragonfly Private E-2

    Hi again,

    The following line off my HijaakThis log refers to a home page of an ISP I haven't used since 2003!! Can I delete this and any references to the home page without causing any probs?

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au

    Thanks & Cheers
    DragonFly
    :cool:
     
    dragonfly, Feb 13, 2005
    #4
  5. PhilliePhan

    PhilliePhan Guest

    Happy to help :)

    These are the items I would fix in HijackThis (unless you really want to keep them):
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozemail.com.au
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ihug Internet

    O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au

    O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge-c283.cab
    O16 - DPF: {C886256C-7A63-4213-AD2F-02AD3735DF06} (AtlCtrl Class) - http://dl.adshooter.com/code/SYSsfitb.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab


    You can then Reset your Web Settings.

    ALSO, have a peek at Chaslang's Suggestions!!

    PP :)
     
    PhilliePhan, Feb 13, 2005
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds