Help with winAD

I keep getting winAD whenever I reboot my cmputer and use AD-aware to scan.

1.I've already shut off the system restore for my win xp.
2.Ran trend micro and pandasoftware's online virus scans. Both found nothing after the initial scan and cleaning.
3.THen ran Mcafee stinger which found nothing. Used ccCleaner which also found nothing.
4.Ran Ad-aware which found the winAd (again) and the vx2 addon which found nothing. Spybot was then used cleaned the Avenue A inc.
5.THen I used the Kill2Me which found nothing. I'm at a loss on what to do with this winAD thing.

Is this winAd file really in my cmput or is this something like the spybot's DSO Exploit bug though I doubt it?

Note: the above was done in normal mode as I could not get into safe mode. When I f8 it asks which boot drive I want to use ie floppy a, dvd drive, zip drive, hard drive.

I am waiting to run and send the hijackthis file if you need it. Before I send the hijackthis file when requested should I go through all the steps above again before running the hijackthis program since I will shut down my cmput during the night and the winAd will reappear on reboot?

THanks

 

Hi Meh,

Go ahead and save your log as a .txt file and attach it via the "Manage Attachments" tool below. We'll see what it has to say right now and go from there Make sure your HJT is up-to-date and in its own folder C:\Program Files\HijackThis.

PP

 

Hi PP

Ok here's my hijack this file. Oh I forgot to say in my original post that I also ran the cwShredder which also found nothing.

Am waiting for further instructions.

THanks

Meh

 

Hi Meh,

Bear with me - I type slowly

Please look in Add or Remove Programs and see if you are able to Remove
WinSync
SyncroAd

You can save me some time by telling me if these are things you know, need and use:
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
I suspect that they are OK, but want to check with you.

PP

 

Hi Meh,

Here is a thread that deals with your problem. Take a look to see how we are going to go about this.
http://forums.majorgeeks.com/showthread.php?t=43504

Note that we need to end these running processes and that there is a trick to doing so:
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Windows SyncroAd\WinSync.exe

We will need to have HijackThis fix these entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=147

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?

I'll look up some of the log entries I am unsure of and wait to hear back from you. I'll try to check back tomorrow evening.

Best,
PP

 

If anybody picks up this thread before I can check back, please note that I checked this one out and it needs to go also:

O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB

It is a 7AdPower Dialer - http://securityresponse.symantec.com/avcenter/venc/data/dialer.7adpower.html

Everything else (besides the stuff in my last post) checks out OK.

PP

 

Hi PP

I went into add/remove and found syncroAd and removed it. I could not find winSync. Not sure if this is relevant but while trying to find these two processes in the add/remove I saw "uninstall 180search assistant". THere was only the change/remove button associated with this program nothing else, such as file size and frequency of usage. If I remember correct isn't 180search a spyware? Or has it been deleted already and what I see is just the remnants? We can deal with that later though.

I don't know what these two entries are
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
I suspect that Dataviz is something tha came with the bearshare free version. I told zone alarm to block internet access whether it worked or not I don't know.

Just making sure before proceeding. These entries are the ones you want hijackTHis to fix, correct? All I do is check mark these four entries below and press the "fix checked" button on hijackThis? Will wait for your approval before proceeding.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=147

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?

O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB


Meh

 

Hi Meh,
3Am & I'm still awake

You are correct - You should remove 180Search.

Since you were able to uninstall SyncroAd, open Task Manager and check if either of these are running:
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Windows SyncroAd\WinSync.exe

PP

 

Hi Meh,
Since I’m awake, I might as well be of some use!

Use Add/Remove Programs to remove 180Search if you haven't already.

Make sure you have Enabled the Viewing of Hidden Folders as per the instructions here: http://forums.majorgeeks.com/showthread.php?p=394716#post394716

Open Task Manager and see if these processes are running:
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Windows SyncroAd\WinSync.exe

Now, RIGHTCLICK on WinSync and Select “End Process Tree.” Do the same for SyncroAd if need be.

Run HijackThis and check the boxes to have it fix the following. Make sure ALL browser windows are closed before you click FIX:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=147

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?

O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB

Now, track down and delete this file:
C:\Program Files\Windows SyncroAd

**Do the same for 180Search - You may need to run a search of your machine for it, if it is still there.

Attach a new HJT log & tell me how things are working. Let me know if you ran into any problems.

I’m going to crash (I mean it this time! ) - I’ll check back Thursday evening.

Best luck,
PP ~ the Insomniac

 

Hey PP

I tried to remove the 180Search in the add/remove -it said that it was already removed and asked if I wanted to remove the item from the list I said yes.

I enabled the showing of the files and folders as well as the system files as instructed but did not reboot after as intruction did not say to reboot.

I opened task manager to find C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
Both processes do not exist in task manager.

Next I opened hijackthis and used the fix checked button on the entries you mention however the entry for
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
does not exist anymore so I checked the other three entries and fixed them.

I did a search for "files and folders" looking for Windows SyncroAd inside myComputer and local drive c: and both searches found nothing.

I then did the same type of search as above using same steps for 180Search and found nothing.

I went into c:\programs files\ to see if I could see the folders mentioned -Windows SyncroAD and 180search folders do not exist.

Attached is the new hijackthis txt file

I'll be waiting for further instructions. Thanks.

Meh

 

Hi Meh,

It looks like you were one of the lucky few who were able to remove SyncroAd via Add or Remove Programs. I see you ran a pretty thorough search to make sure nothing remained

I should have asked you to REBOOT and run a fresh HijackThis scan and attach that log. Please do that. Also, run Ad-Aware again (Note that there is a fresh Definitions File Update available). I’d like to see if it still notifies you of a problem with WinAd. I believe that is a different problem from what we have already addressed. (There are so many these days - it’s hard to keep track of all of them! ).

If you want, when you run HJT, you could have it “FIX” the following items. They are really personal preference types of things that do not need to be running at startup:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime

You could also get rid of these if you want. I left them because they looked like things you might have wanted:
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2311f096e3c23153ac01/netzip/Rdx

Personally, I recommend “Fixing” them ALL.

In case I forget, I also recommend that you install and run SpywareBlaster 3.2 and update it regularly.

You should also note that there are fresh updates for SpybotSD as well – Make sure you are using the Immunization feature.

Anyhoo, Reboot, run Ad-Aware and HJT and attach a fresh log & let me know how things shook out. I’ll check back later.

Best,
PP

 

Hey PP

I rebooted and did the 2 online scans-pandasoftware said everthing is ok but trendmicro found "Tro.B" (I might have spelt it wrong) and I deleted this file. I rebooted and redid the online scans 3 times nothing was found. THis Trojan does not always show up for some reason.

I ran ad-aware and this time it found nothing YAY!!! I went through hijavkthis and here is the new file. Seems everything is ok except for the occasional Tro.B being found when using trend micro's online scan.

Remember to tell me when to reenable my system restore. Those other entries you mentioned in your lasteset reply I'll probably leave for now. Kinda pressed for time but I want to let you know what is happening.

Tell me what you think from the new log. Thanks PP

Meh

 

Your HJT log is clean Good job!

You can turn System Restore back on anytime. Generally, it is a good idea to wait for a day or two to make sure everything is working okay.

If you get a chance, take a look at Chaslang's recommendations HERE:
How to Protect yourself from malware!

Best,
PP

 

THanks PP you've been a great help.

Meh

 

You're Welcome! Happy to Help

PP