Windupdates

Hi all,
guys I have problem with one of windupdates...here is the deal i got it from sumone on msn and i have installed updated the following

micro soft anispy
lava soft cc cleaner
spyware
spybot
spyware blaster
xsoft spy
registry mechanic
spware doctor

plus i did the other ones which dunt install u just unzip them that have been advised on this site scanned and removed all i was able to..HOWEVER I dont have any spyware but I get from time to time www.freewebs.com page tryin to open and that is blocked by spyware doctor but how can I get rid of it..it means I still have spyware...

I found this on the net:


Overview:
WindUpdates is a trojan downloader that by itself will deliver popup advertisements to your system. This is NOT the part thats so bad... It also installs a number of other adware/spyware applications and is installed on your system through an activex control that installs itself on alot of IE users systems without them ever knowing it. All they hav do do is visit the wrong site! Use FireFox NOW!

Destroy Autorun:
Delete the following keys
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winad client
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\windupdates

Reboot your system then: p>

Make sure you click start --> Run and type in msconfig. Then select the startup tab. Any references to the processes below should be deleted

BUT I CANT DESTORY AUTORUN when i go run---> regedit it says something about the file system not suitable for runin ms dos and microsoft applications......

guys help
now i dont wanna start computer in safe mode coz that just stuff my computer all together ...ALWAYS

 

OK,
FIRST THING IS I KNOW HOW I GOT THE VIRUS OR I SHOULD SAY SPYWARE...I GOT IT AS ONE MEMBER ON MSN SENT ME A STRANGE LINK TO C SOMETHING AND SINCE THEN I HAD PROBLEMS...MSN PLUS 3 IS NOT THE CAUSE..AND THE REASON I SAY THAT IS COZ I NEVER HAD PROBLEMS WITH IT B4 BUT THATS ONLY IF U CHOOSE INSTALATION OS MSN PLUS WITHOUT THE SPONSOR..IF U CHOOSE THE SPONSOR OPTION THEN U GET CRAP IN UR COMPUTER BUT NOT SURE WHY WOULD ANYONE CHOOSE THAT OPTION ANYWAY......

OK
I REINSTALLED MY AVG YES SOEMTHING WAS WRONG UPDATED AND SCANNED NOTHING WAS FOUND
YES I THINK I WAS ABLE TO REMOVE WINDUPDATES BUTI STILL FROM TIME TO TIME GET WWW.FREEWEB.COM POPING UP AND SPY DOCTOR DOES BLOCK IT BUT IF IT DIDNT IT WOULD INSTALL A LOT OF WINDUPDATES...I KNOW THAT COZ IT USED TO DO THAT B4 I GOT SPYWARE DOCTOR....AS I SAID B4 I READ SUMWHERE WINDUPDATES GETS OTHER CRAP THAN ITSELF ON THE COMPUTER

SO THE RESULTS ARE AS FOLLOWING:

ONLINE SCANS:

TREND MICRO HOUSE CALL:
NO VIRUSES FOUND

SYMANTEC FOUND THIS:

C:\Program Files\Microsoft AntiSpyware\Quarantine\B54EB148-A154-4ECB-A678-A22710\AF2F55CA-17BC-454C-BF72-5B4583 is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\B54EB148-A154-4ECB-A678-A22710\63FC72A9-C5B8-4BC5-A894-41B87D is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\B54EB148-A154-4ECB-A678-A22710\04EFE7F6-EB35-468D-8511-A3003D is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\B54EB148-A154-4ECB-A678-A22710\449FEE86-2979-4664-BC64-D83F08 is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\4B7801F8-F158-4BFE-9BF1-57DAE0\E9239AA7-F296-4C71-ADBB-AAACB5 is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\13363C8F-1924-4A1A-B381-2BAF8B\5FBBDC18-D348-4C79-AA74-51325A is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\13363C8F-1924-4A1A-B381-2BAF8B\4E6C437F-61E9-4389-9B7D-2E5653 is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\13363C8F-1924-4A1A-B381-2BAF8B\0877F93F-6191-487D-9CE6-8AF215 is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\13363C8F-1924-4A1A-B381-2BAF8B\007B7D6C-8625-4884-B216-4D4FD5 is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\23AE38D6-076A-4D98-AEF0-361915\384E53AD-DC30-4BC9-AF5E-71F6A1 is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\23AE38D6-076A-4D98-AEF0-361915\2C611132-62B7-4ECD-9188-56F9CE is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\23AE38D6-076A-4D98-AEF0-361915\A8CA0715-F54F-4DA7-BFA4-094EE2 is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\23AE38D6-076A-4D98-AEF0-361915\1B1E97A2-78CE-4BA2-8D7A-3E337D is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\673E4172-8028-4F46-A6FA-BBA74A\BBB727AE-BF2F-47AD-A2CF-B732D3 is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\673E4172-8028-4F46-A6FA-BBA74A\2C38AE72-16AF-441A-979F-001EDD is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\673E4172-8028-4F46-A6FA-BBA74A\BDE47109-71EE-49B2-82F2-E2AC01 is infected with Adware.MediaPass
C:\Program Files\Microsoft AntiSpyware\Quarantine\673E4172-8028-4F46-A6FA-BBA74A\A99D36BA-E623-4FDE-9794-F14A58 is infected with Adware.MediaPass


41785 files scanned, 17 file(s) infected on your disk drives.

No viruses were detected in memory.

Your computer is infected with at least one known virus or Trojan horse


I HAVENT DONE THE SAFE BOOT OPTION BECAUSE IT ALWAYS STUFFS UP MY COMPUTER LIKE CANT GET PASS THE SAFE BOOT POINT...SO I WILL AVOID THAT


NOW THE NORMAL SCANS GOT THIS

AD AWARE UPDATED
Total scanning time:00:06:42.62
Objects scanned:102030
Objects identified:0
Objects ignored:0
New critical objects:0

MICROSOFT SPYWARE BETA REPORTED:
4 THREATS

MSN PLUS - MODERATE
BEAR SHARE - MODERATE
(I had these 2 programs all the time didnt have problems with them I doubt they are the problem ones)
ANTILEECH PLUG IN - ELEVATED
(also had this for ages no problem)
POSSIBLE BROWSER HI JACK ATTACK (BROWSER MODIFER) HIGH
LOCATION : INTERNET EX SEARCH PAGE
now this one is new poped up never seen it

NOW RUNNING CC CLEANER GOT NOTHING INTRESTING EXCEPT WHEN I WENT TO C START UP PROGRAMS I SAW THIS PROGRAM WHICH I GOT NO CLUE WHAT IT DOES AND IT WAS NEVER
B4 THERE
CALLED: \FILE\PROGRAM\BACK-WEB-8876480.EXE
CANT SEEM TO C WHERE ITS RUNING FROM BUT I THINK THIS IS WATS IS CAUSIN ME TROUBLE

AFTER THAT I DID SPYBOT

NOW SPYBOT IS AN INTRESTING ONE IT REPORTS THIS:

1 INFECTED THING CALLED "BACK-WEB LITE"......AUTORUN SETTING....AND SHOWS ME REGISTRY KEY

NOW ITS INTRESTING IN ITSELF AS I DID 5 SCANS OF SPYBOT REMOVING THIS PARTICULAR ITEM BUT I CANT
SEEM TO GET RID OF IT FOR EVER, AS SOON AS MY COMPUTER RESTARTS OR SOMETHING I GET IT...GRRR
THIS IS I RECKEN THE PROBLEM NOW HOW TO REMOVE IT...???!!! SO IT DOENST COME BACK OK
THE REST OS SCANS...

ABOUT BUSTER

Scanned at: 3:41:15 PM on: 18/05/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!


McAfee AVERT Stinger:


NO THREATS
HS REMOVAL:

8 ITEMS REMOVED
REMOVAL COMPLETE


cw SHREDER
0 INFECTED

KILL 2 ME
REMOVED IF PRESENT

WELL THATS ALL I HOPE U CAN SEE THE PATTERN MAYBE IN ALL THIS I AM 100% SURE ITS THAT AUTORUN
OF BACK WEB LITE AS WHEN WENT INTO MSCONFIG AND UNTICKED THE BOX FOR THIS ITEM TO LOAD NEXT TIME IT LOADED IT
AGAIN!!!!!!!!!!!!!!!! SO NOW I HAVE TO BOXES ONE UNTICKED AND THE OTHER TICKED AGAIN DAMN (((

 

lol sorry for the caps, it was just on....erm well wanted to scan the hell out of my computer...anyway safe boot doenst do me good last 2 times i loaded in safe boot and got to promp page to select load in safe mode it was just looping my win xp over and over again...would never load into the actual system so I had to take it to the repairer....is there any way i can remove that without going into the actual safe boot system...if not I recken the only thing I ll have to do then is reformat (ohhh noo)

 

so you think that msn plus is my cause ok i will unistall it actually already have done so...i also went pressed ctl alt del and killed that reg.exe.. as you say if cool web is the logitech thing as u say it is then it shouldnt be a problem as i have logitech web cam....I mean all these programs there were never a problem with them its just 4 days ago someone on msn sent me the link to something like see my profile with their email address and i clicked it and since then windupdates....and everything startet pliling..i removed like so many enteries of everythin and anythin with these programs the only thing as I said from time to time I get a sudden page opening of www.freewebs.com or some other page i got no clue about...I am not sure

I guess I can delete this file manually:

O4 - HKLM\..\Run: [REGRUN] C:\Documents and Settings\Mladen\reg.exe
by going to the actual location
and also this one
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
or I d have to do it via HJT..not much familiar with HJT thats why I am asking

 

you could be right about reg.exe because i cliked on it and avg reported it as virus detected...I clicked delete the file but went into the original location was still there...can you help me how to delete the thing

 

ok YES!!!!!!!!!!! I think I got rid of it...the problem in my opinion was the .reg file which cause occasional pop-ups in my windows..yes I didnt go to safe mode but after I killed the process with hjt I went to the actual location and deleted it manually like a normal file.....its in my recycle bin now which I will empty...I also killed those cool web searches as if I really needed them I can always reinstall logitech software....
Now I was not able to clean with cc cleaner that folder c:\windows\Prefetch
not sure why....? I analyzed the whole 3 parts "windows" "applications" "issues" there was no folder with that path..However going into the folder itself I could see various files eg. NOTEPAD.EXE-336351A9.pf, ..so on so on and ONE OF THEM is REG.EXE-2CFE6AB4.pf..why didnt cc cleaner appear to clean that folder..maybe coz i am not if safe boot? Can I delete all files in this folder manually too?

 

well cools I am just new to all this spyware thing.... ok i ll delete those things i havent touched anything so far in cc cleaner...
thank u again!