# Ad aware did not get rid of spyware



## wguido (Jan 16, 2003)

I have tried everything, and I can not get the stupid pop ups that were NEVER there before off. I downloaded adaware, did not work, i tried a reg cleaner, windows washer, spybot, everything you can think of. Even restored my computer back 2 months, HELP!!!!!!!!!!


----------



## pyritechips (Jun 3, 2002)

Hello!

This sounds like it should be in the security forum, so assuming that it's ok with you, I will request that it be moved.

Wxactly what kind of popups are you getting? Can you give us more information, like: What operating system do you have, what browser?

In the mean time, you can go to the following site and download and run Startuplist 1.51 and post the results here:

http://www.lurkhere.com/~nicefiles/


----------



## Davey7549 (Feb 28, 2001)

Moved to Security PC! By the way I like your Welcome Gif!! Nice Job!

Dave


----------



## wguido (Jan 16, 2003)

StartupList report, 1/16/2003, 3:50:20 PM
StartupList version: 1.51
Started from : C:\unzipped\startuplist151[1]\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\D-Link AirPlus\WLANMON.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\startuplist151[1]\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
D-Link AirPlus DWL-650+ Utility.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
DadApp = C:\Program Files\DELL\AccessDirect\dadapp.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
Dell|Alert = C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
Sentry = C:\WINDOWS\Sentry.exe
Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

washindex = C:\Program Files\Washer\washidx.exe "Wendie"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
Washer = C:\Program Files\Washer\washer.exe /0

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

washindex = C:\Program Files\Washer\washidx.exe "Wendie"

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\IPINSIGT.DLL - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}
(no name) - C:\WINDOWS\MSView.DLL - {00000580-C637-11D5-831C-00105AD6ACF0}
MediaLoads Enhanced - C:\Program Files\MediaLoads Enhanced\ME1.DLL - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell.com/us/en/systemprofiler/SysPro.CAB

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/161b002aed60a3bd7306/netzip/RdxIE601.cab

[DmiReader Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL
CODEBASE = http://ftp.us.dell.com/fixes/PROFILER.CAB

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: \??\C:\DOCUME~1\Wendie\LOCALS~1\Temp\GLB1A2B.EXE||\??\C:\DOCUME~1\Wendie\LOCALS~1\Temp\GLB1A2B.EXE

--------------------------------------------------
End of report, 6,252 bytes
Report generated in 0.210 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## brendandonhu (Jul 8, 2002)

I don't see anything but you can try spybot from http://security.kolla.de

In my tests, it caught more than adaware.
Make sure you update the program before downloading by clicking Online, Check For Updates, Download Updates.


----------



## wguido (Jan 16, 2003)

I did, nothing


----------



## wguido (Jan 16, 2003)

the same ads that pop up are ebay, debt consolidation, specific pop, and albion...


----------



## bobince (Jan 16, 2003)

Crumbs, you've got heaps of problems there. Are you sure you're using Spybot with the latest updates? Because I'm sure it should catch some of these:

Sentry = C:\WINDOWS\Sentry.exe

This is IPInsight/Sentry, see http://www.doxdesk.com/parasite/IPInsight.html

Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer

This is Totem Updater. I've never seen it actually do anything, but it hangs around after uninstalling any of their programs (MP3Dancer in this case) and looks generally suspicious. Delete this startup entry using HijackThis! or regedit (registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Uninstall0001). Reboot and wipe the whole Program Files\Common Files\Totem Shared folder.

(no name) - C:\WINDOWS\IPINSIGT.DLL - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}

This is IPInsight/Ipinsigt, see the above page again.

(no name) - C:\WINDOWS\MSView.DLL - {00000580-C637-11D5-831C-00105AD6ACF0}

This is Transponder/MSView, see http://www.doxdesk.com/parasite/Transponder.html

MediaLoads Enhanced - C:\Program Files\MediaLoads Enhanced\ME1.DLL - {85A702BA-EA8F-4B83- AA07-07A5186ACD7E}

This is DownloadWare, see http://www.doxdesk.com/parasite/DownloadWare.html

[RdxIE Class]

This is RealDownload. I haven't analysed this yet so I don't know if it's harmful, but it certainly doesn't do any good to have it installed. Try to remove it from Downloaded Program Files in the Windows folder.

[ContentAuditX Control]

This is not actually harmful, but it's completely worthless. It's used by contentwatch.com, a site that claims to scan your computer for hidden pornography (!), but in fact just flags any files with words like 'sex' in the title, and then tells you to buy more software. I'd go to Downloaded Program Files and wipe it if I were you.

Hope that helps!

-- 
Andrew Clover
mailto:[email protected]
http://www.doxdesk.com/


----------



## wguido (Jan 16, 2003)

It wont delete Totem. It says it is white protected


----------



## bobince (Jan 16, 2003)

This probably means the file is in use - that is, Totem is currently running. Open the Task Manager (Ctrl-Alt-Delete), pick the 'Processes' tab, and kill 'upd.exe'. Then you should be able to delete it.

Removing the HKLM...Run registry entry then rebooting is another way to stop the process from running.

-- 
Andrew Clover
mailto:[email protected]
http://www.doxdesk.com/


----------



## wguido (Jan 16, 2003)

there is no upd file


----------



## wguido (Jan 16, 2003)

ok, i got totem delted, but still popups!  is there an easier way to get rid of it?


----------



## mViOkPe (Oct 15, 2002)

Hey Andrew, nice to see ya. You are quite correct about SSD targeting most of these. BTW I saw that bit of business at AA/LS the other day. Guess they want to alienate everyone in the industry now. 

wguido, I would suggest you try SSD again and make sure you have the current version; v1.1r4 then use the internal updater to get the latest sigs. Get it here; http://www.lurkhere.com/~nicefiles/index.html

For a REAL task manager you might try ProcExp; http://www.sysinternals.com/ntw2k/freeware/procexp.shtml


----------



## wguido (Jan 16, 2003)

I did dl it, updared it, rebooted....STILL HAVE POP UPS! This is driving me crazy! lol I never had them on my homepage or bank page or email page before.


----------



## mViOkPe (Oct 15, 2002)

Did you get rid of IPInsight? Transponder? DownloadWare? I know for a fact that the SSD scan will pick these up.

Would you post a copy of your SSD results please. Just right click in the results and choose 'copy to clipboard' and then paste here.

EDIT: Also, could you get a copy of HighjackThis and run a scan and post it's results too; http://www.spywareinfo.com/~merijn/files/hijackthis.zip


----------



## wguido (Jan 16, 2003)

Advertising.com: Tracking cookie or cookie of tracking site (File)
[email protected]rtising[1].txt

Advertising.com: Tracking cookie or cookie of tracking site (File)
[email protected][1].txt

Commission Junction: Tracking cookie or cookie of tracking site (File)
[email protected]www.qksrv[2].txt

Commission Junction: Tracking cookie or cookie of tracking site (File)
[email protected]www.commission-junction[2].txt

DownloadWare: User settings (Registry key)
HKEY_CURRENT_USER\Software\Updater

MediaPlex: Tracking cookie or cookie of tracking site (File)
[email protected][1].txt

Ahead Nero Burning Rom: Browser directory (Registry change)
HKEY_CURRENT_USER\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir=

Ahead Nero Burning Rom: Compilation directory (Registry change)
HKEY_CURRENT_USER\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation=

Ahead Nero Burning Rom: Compilation directory (Registry change)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation=

Ahead Nero Burning Rom: Image directory (Registry change)
HKEY_CURRENT_USER\Software\Ahead\Nero - Burning Rom\Settings\ImageDir=

Ahead Nero Burning Rom: Image directory (Registry change)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\ImageDir=

Ahead Nero Burning Rom: Recent file list( (4 files)) (Registry key)
HKEY_CURRENT_USER\Software\Ahead\Nero - Burning Rom\Recent file list

Ahead Nero Burning Rom: Working directory (Registry change)
HKEY_CURRENT_USER\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir=

Ahead Nero Wave Editor: Recent file list( (2 files)) (Registry key)
HKEY_CURRENT_USER\Software\ahead\nero wave editor\Recent File List

Internet Explorer: Cookies( (12 cookies)) (Directory)
C:\Documents and Settings\Wendie\Cookies

Internet Explorer: Download directory (Registry change)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory=

Internet Explorer: Temporary internet files( (471 entries)) (Empty cache)

Internet Explorer: URL history #1( (1 files)) (Registry key)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: User agent (Registry change)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

Log: Activity: COM+.log (Backup file)
C:\WINDOWS\COM+.log

Log: Activity: imsins.log (Backup file)
C:\WINDOWS\imsins.log

Log: Activity: ntbtlog.txt (Backup file)
C:\WINDOWS\ntbtlog.txt

Log: Activity: OEWABLog.txt (Backup file)
C:\WINDOWS\OEWABLog.txt

Log: Activity: SchedLgU.Txt (Backup file)
C:\WINDOWS\SchedLgU.Txt

Log: Install: comsetup.log (Backup file)
C:\WINDOWS\comsetup.log

Log: Install: DtcInstall.log (Backup file)
C:\WINDOWS\DtcInstall.log

Log: Install: ocgen.log (Backup file)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file)
C:\WINDOWS\setupapi.log

Log: Install: setuperr.log (Backup file)
C:\WINDOWS\setuperr.log

Log: Install: setuplog.txt (Backup file)
C:\WINDOWS\setuplog.txt

Log: Install: svcpack.log (Backup file)
C:\WINDOWS\svcpack.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file)
C:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

MS Direct3D: Most recent application (Registry change)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name=

MS DirectDraw: Most recent application (Registry change)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name=

MS Paint: Recent file list( (3 files)) (Registry key)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

MS Regedit: Recent open key (Registry change)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey=

MS Wordpad: Recent file list( (1 files)) (Registry key)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

RealOne Player 2 (aka RealPlayer 6.0): Last login time (Registry change)
HKEY_CURRENT_USER\Software\RealNetworks\RealPlayer\6.0\Preferences\LastLoginTime\=

RealOne Player 2 (aka RealPlayer 6.0): Last open file directory (Registry change)
HKEY_CURRENT_USER\Software\RealNetworks\RealPlayer\6.0\Preferences\LastOpenFileDir\=

RealOne Player 2 (aka RealPlayer 6.0): Most recent skins #1 (Registry change)
HKEY_CURRENT_USER\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentSkins1\=

Windows Explorer: Last Copy/MoveTo folder (Registry value)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CopyMoveTo\LastFolder

Windows Explorer: Stream history( (20 files)) (Registry key)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: User Assistant history files( (838 files)) (Registry key)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: User Assistant history IE( (120 files)) (Registry key)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

WinZip: Number of times run (Registry change)
HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\rrs\Opened=

WinZip: Recent created file list( (15 files)) (Registry key)
HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\filemenu

--- Spybot-S&D version: 1.1 rel 4 ---
2003-01-08 Includes\Cookies.sbi
2003-01-08 Includes\Dialer.sbi
2003-01-11 Includes\Hijackers.sbi
2003-01-09 Includes\Keyloggers.sbi
2003-01-08 Includes\Malware.sbi
2003-01-08 Includes\plugin-ignore.ini
2003-01-08 Includes\Security.sbi
2003-01-09 Includes\Spybots.sbi
2003-01-08 Includes\Tracks.uti
2003-01-08 Includes\Trojans.sbi


----------



## mViOkPe (Oct 15, 2002)

Do the popups appear as normal browser windows?

Still need that HT log if you would.


----------



## wguido (Jan 16, 2003)

No, they are little boxes. Even if I cant get rid of them, I appreciate (sp?) all the help! Thank you!


----------



## mViOkPe (Oct 15, 2002)

Would this by any chance be the culprit? http://www.re-quest.net/internet/webpopup/index.htm


----------



## wguido (Jan 16, 2003)

No, It was already stopped


----------



## brendandonhu (Jul 8, 2002)

Just to verify, you scanned the drive with Spybot after checking for updates, right?


----------



## pyritechips (Jun 3, 2002)

> By the way I like your Welcome Gif!! Nice Job!


Thx Dave and feel free to use it! In fact since I posted it here, consider it the property of the site for one and all to use!


----------



## wguido (Jan 16, 2003)

There is one thing that wont go away that could be causing all the trouble. Every other time I go to any webpage, there is a box on the bottom of my screen that says "Microsoft interent explorer" and when I click it to maximize it, it wont do anthing, I just have to right click the box and hit close. Any ideas?


----------



## wguido (Jan 16, 2003)

Here is a priny screen of it...


----------



## rugrat (Dec 17, 2001)

I am thinking your problem is MP3 Dancer which is running from your registry. *adverts.mp3dancer.com!StatsMP3Dancer * This is part of their privacy policy,

Cookies.
The website uses a temporary cookie to store where surfers came from on their first visit. In connection with TotemCash (www.totemcash.com) our affiliate program, the website may also use a cookie as part of its compensation mechanism.

I am assuming the compensation mechanism is advertising.

From the license agreement,

DISCLAIMER OF ACTIVITY 
This software reports to the www.mp3dancer.com server every day (No personal information is sent or requested, only counters). This software tests, determining new versions and updates; which it will automatically update if appropriate.

I would try uninstalling it from add/remove programs

Let us know


----------



## wguido (Jan 16, 2003)

I did remove it last week..how is it still in there?


----------



## rugrat (Dec 17, 2001)

Do you see anything named Totem in add /remove?


----------



## wguido (Jan 16, 2003)

No, but I did delete the Totem folder...


----------



## rugrat (Dec 17, 2001)

How about Uninstall0001 in the add/remove? Also, search your drive for upd.exe and,
Let us know


----------



## wguido (Jan 16, 2003)

Neither


----------



## rugrat (Dec 17, 2001)

Try rebooting and see if the ad problem went away with the totem folder.

Let us know


----------



## wguido (Jan 16, 2003)

No, it didnt.


----------



## rugrat (Dec 17, 2001)

Did the totem file come back?


----------



## wguido (Jan 16, 2003)

no


----------



## rugrat (Dec 17, 2001)

Have you ever edited your registry? If you are comfortable with it, open regedit and go here
HKLM\Software\Microsoft\Windows\CurrentVersion\Run 

and delete this key,

Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer


----------



## wguido (Jan 16, 2003)

How do I get to that?


----------



## rugrat (Dec 17, 2001)

click start, run and type in regedit then click each of these,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

everything after a \ will be another click


----------



## wguido (Jan 16, 2003)

???


----------



## rugrat (Dec 17, 2001)

Click your start button, in the run box type regedit Once regedit opens, click the little + sign next to
HKEY_LOCAL_MACHINE
when that expands, click
Software
When that expands click,
Microsoft
when that expands click,
Windows
when that expands click, 
CurrentVersion
when that expands click,
Run 

Now in the right pane you should see Uninstall0001, right click on it and delete it.

I would also suggest you run start list again when you are done and post a fresh copy.


----------



## wguido (Jan 16, 2003)

I did post...it isnt there


----------



## rugrat (Dec 17, 2001)

Just saw the picture, there must still be something in the start up list we are missing. Run Start List again and repost. This will show us what spybot etc... already got rid of.


----------



## wguido (Jan 16, 2003)

How do I get it?


----------



## rugrat (Dec 17, 2001)

If you not still have it from the first time you downloaded,

http://www.lurkhere.com/~nicefiles/


----------



## wguido (Jan 16, 2003)

StartupList report, 1/17/2003, 3:55:24 PM
StartupList version: 1.51
Started from : C:\unzipped\startuplist151[1]\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\D-Link AirPlus\WLANMON.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\startuplist151[1]\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
D-Link AirPlus DWL-650+ Utility.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
DadApp = C:\Program Files\DELL\AccessDirect\dadapp.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
Dell|Alert = C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

washindex = C:\Program Files\Washer\washidx.exe "Wendie"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl
Washer = C:\Program Files\Washer\washer.exe /0
Extreme Messenger for AIM = C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

washindex = C:\Program Files\Washer\washidx.exe "Wendie"

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\MSView.DLL - {00000580-C637-11D5-831C-00105AD6ACF0}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell.com/us/en/systemprofiler/SysPro.CAB

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/161b002aed60a3bd7306/netzip/RdxIE601.cab

[DmiReader Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL
CODEBASE = http://ftp.us.dell.com/fixes/PROFILER.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: \??\C:\DOCUME~1\Wendie\LOCALS~1\Temp\_iu14D2N.tmp|||A

--------------------------------------------------
End of report, 5,429 bytes
Report generated in 0.250 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## rugrat (Dec 17, 2001)

Huge difference! I do not see anything else but, I am not the resident expert. I am sure others will take a look and may see something I missed. If I do notice something, I will post back.


----------



## mViOkPe (Oct 15, 2002)

What is this BHO? 
(no name) - C:\WINDOWS\MSView.DLL - {00000580-C637-11D5-831C-00105AD6ACF0}

When I first saw it I thought it was Mview but it isn't. Can you DL BHODemon; http://www.spywareinfo.com/downloads/bhod/index.html and check it's properties? If you can't tell, just disable it and see if your prob still exists.


----------



## wguido (Jan 16, 2003)

is this


----------



## mViOkPe (Oct 15, 2002)

Yep, I believe this is the critter; http://www.msview.cc/

Disable it with BHOD and see if it goes away.

BTW You may have to kill all instances of IE in the TaskManager in order to disable.


----------



## wguido (Jan 16, 2003)

I think that was it!!! I havent had a popup yet! But now when I reboot my computer I get a black screen! Well, I dont care about that! lol THANK YOU SOOOOO MUCH!!!!!1


----------



## rugrat (Dec 17, 2001)

Glad you got it!!!

Great catch mViOkPe!!

Let us know if you need anything else.


----------



## mViOkPe (Oct 15, 2002)

OK good. Now use find and delete MSView.dll(again may have to close IE) That should clean you up. I've already reported it to PMK for targeting. Thx for bringing it to our attention.

Hey rugrat, all in a days work.


----------



## Javacool (Jan 17, 2003)

> _Originally posted by mViOkPe:_
> *OK good. Now use find and delete MSView.dll(again may have to close IE) That should clean you up. I've already reported it to PMK for targeting. Thx for bringing it to our attention.
> 
> Hey rugrat, all in a days work.  *


Definitions released today for SpywareBlaster target this new item (for protection).

And I'm sure Patrick will come out with an update for Spybot in no time (for removal). 

Best regards,

-Javacool


----------



## mViOkPe (Oct 15, 2002)

Hey JC, nice to see ya.


----------



## TonyKlein (Aug 26, 2001)

Yup, it's a new Transponder version.

I'd already seen it once before:

http://www.lavasoftsupport.com/index.php?act=ST&f=11&t=2358


----------



## mViOkPe (Oct 15, 2002)

Thx Tony, guess I need to play some 'catch up' from my vacation. If you get away from the world for a few weeks, all kinds of stuff creeps in.


----------



## TonyKlein (Aug 26, 2001)

Hi Mikey! 

At least you allow yourself to "get away" for a while. 

Wouldn't be so bad for me either...


----------



## wguido (Jan 16, 2003)

Hey guys, I need some help again. The pop ups are gone, but now when I start up my computer, windows will load, and then it turns black for like 3 seconds. And also, when I start Picture It! It says I need the disk to install it, but it NEVER did that before. HELP! And also, my screen saver doesnt come on any more. It is set and everything...


----------



## mViOkPe (Oct 15, 2002)

> _Originally posted by wguido:_
> *Hey guys, I need some help again. The pop ups are gone, but now when I start up my computer, windows will load, and then it turns black for like 3 seconds. And also, when I start Picture It! It says I need the disk to install it, but it NEVER did that before. HELP! And also, my screen saver doesnt come on any more. It is set and everything... *


This could be a very good indication as to what apps hosted some of your nasties. I know of no software that hosts spies that can't be easily replaced by an alternative clean one. If you reinstall, you will likely be reinfected.


----------



## TheMadHatter (Dec 21, 2003)

try a firewall that blocks popups.. symantec has a good one


----------

