# Super Adware



## dutkaman (Mar 8, 2005)

I have run the updated versions of AdAware and Spybot and neither one can get rid of this freakin adware. It seems to open windows (both on and off line) when I'm using the browser (IE). Can anyone please help me get rid of this super tick of a program. I've never seen one this persistent. Here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:28:32 PM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\altera\quartus41\bin\JTAGServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Zone Middleware\VZMService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\w?auboot.exe
C:\Documents and Settings\Paul Dutka\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4715E8ED-0574-65DE-2FE7-0595CDA0819D} - C:\WINDOWS\system32\luhwog.dll
O2 - BHO: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINDOWS\DOWNLO~1\gspec.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINDOWS\DOWNLO~1\gspec.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] D:\PROGRA~1\AIM95\AIMWDI~1.EXE
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [ydzfrn] c:\windows\system32\ydzfrn.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [wjsngdaj] C:\WINDOWS\wjsngdaj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Umsr] C:\Documents and Settings\Paul Dutka\Application Data\isno.exe
O4 - HKCU\..\Run: [Obbsbd] C:\WINDOWS\system32\w?auboot.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - 
O16 - DPF: {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} (GlobalSpec Engineering Toolbar) - http://www.globalspec.com/engineering-toolbar/gspec.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://D:\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://D:\Program Files\MDT6\InstFred.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://D:\Program Files\MDT6\AcPreview.ocx
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - D:\altera\quartus41\bin\JTAGServer.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VZMServ Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Zone Middleware\VZMService.exe


----------



## golferbob (May 18, 2004)

i also use spyware doctor ,it found one in my system . it is free ,website below.

http://www.download.com/Spyware-Doctor/3000-8022-10361503.html?tag=list


----------



## Flrman1 (Jul 26, 2002)

Hi dutkaman

Welcome to TSG! 

Go to Add/Remove programs and uninstall Viewpoint Manager and Viewpoint Toolbar.

Now turn off Spybot's Tea Timer until we are finished removing tha malware from your computer as it will interfere with the changes you are trying to make.

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {4715E8ED-0574-65DE-2FE7-0595CDA0819D} - C:\WINDOWS\system32\luhwog.dll

O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe

O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe

O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe

O4 - HKLM\..\Run: [ydzfrn] c:\windows\system32\ydzfrn.exe

O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe

O4 - HKLM\..\Run: [wjsngdaj] C:\WINDOWS\wjsngdaj.exe

O4 - HKCU\..\Run: [Umsr] C:\Documents and Settings\Paul Dutka\Application Data\isno.exe

O4 - HKCU\..\Run: [Obbsbd] C:\WINDOWS\system32\w?auboot.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -*

Restart to safe mode.

*How to start your computer in safe mode*

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\Documents and Settings\Paul Dutka\Application Data\*isno.exe*
C:\WINDOWS\*sixtypopsix.exe*
C:\WINDOWS\*wjsngdaj.exe*
c:\windows\system32\*ydzfrn.exe*

Delete these folders:

C:\Program Files\*Preview AdService*
C:\Program Files\*AdTools Service*
C:\WINDOWS\system32\*wsxsvcxe*

Do a file search for *w*auboot.exe* and let me know exactly what you find.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin


----------



## dutkaman (Mar 8, 2005)

Thank you so much for your help. You've made me a very happy man. I will most definetly donate to help keep this site goin. This is the following info I got from searching for w*auboot.exe: located in c:\windows\system32, is 408KB and was modified 02/08/05. I don't remember having that running before I started getting that adware popups, but when I looked it up, it said it was for Windows to do auto-update. When I was trying to figure out what program was causing the ads to come up, that exe seemed to always startup right before the ads did. Thank you again. I haven't had anymore ads come up since I did all the stuff you told me.


----------



## Flrman1 (Jul 26, 2002)

What was the actual file name? Was it wuauboot.exe? Rught click the file and choose "Properties". Tell me all the info you find there.


----------



## dutkaman (Mar 8, 2005)

yeah, that would sort of help, wouldn't it... sorry bout that.

General tab info:
wuauboot.exe
Type of file: Application
Description: wuauboot
Location: C:\WINDOWS\system32
Size: 408 KB (417,792 bytes)
Size on disk: 408 KB (417,792 bytes)
Created: Monday, February 21, 2005, 3:04:55 PM
Modified: Tuesday, February 08, 2005, 9:34:46 AM
Accessed: Today (thursday), March 10, 2005, 1:16:20 AM
Attributes: [checked] Read-only [checked] Hidden (the hidden option is grayed out)

also, my virus checker has a tab under properties called Virus Property, and it says there's no viruses, but more importantly it says:
File name: w?auboot.exe

I remember seeing it called that at some point during my personal battle in trying to find this thing myself before I asked you guys about it. I'm obviously guessing here, but I have a strong feeling that the ad program was exploiting wuauboot.exe to open up browser windows and yet not be flagged by the adware cleaners, cause I noticed it was loaded into the process list right before an ad would pop-up, even when I closed the wuauboot.exe process before. Plus, I never remember that being in my process list before, and its not running now either anymore.


----------



## Flrman1 (Jul 26, 2002)

Click on the version tab of wuauboot.exe and see what it says the product name and company name are.

Also is there more than one wuauboot.exe file there?


----------



## dutkaman (Mar 8, 2005)

No, there's only that one file. The product and company names are blank for that file, unlike the other Windows files around it.


----------



## Flrman1 (Jul 26, 2002)

Go here

Look at the top of the page for the *Submit* file box.

Click on *Browse*

Navigate to the C:\WINDOWS\System32 folder and upload the .... *wuauboot.exe* .... file and let us know what you find.


----------



## edeldoug (Dec 25, 1998)

It is apparant that despite their protestations that ViewPoint is not spyware... they ARE INDEED Adware and intend to be.

As ViewPoint is pre-installed by a number of PC Vendors, and is included with numerous software installs including AOL and AIM - it is quite prevalent in terms of installs. AOL is particularly egregious as it AUTOMATICALLY REINSTALLS ViewPoint every time you open AOL if you uninstall ViewPoint. (Unless you know the SECRET to turn it off.

ViewPoint masquerades as a useful, innocuous, and misunderstood and maligned technology to enhance your web experience. Unfortunately it seems it has little real purpose beyond being a fancy graphics adserver.

http://www.clickz.com/news/article.php/3561546
Viewpoint to Plunge Into Adware
> > > ClickZ News 
By Zachary Rodgers | November 3, 2005

Viewpoint will develop a behavioral targeting product in 2006, execs said during the company's Q3 earnings call.

It will work by collecting clickstream data on users who have installed the Viewpoint media player, then using that data to target ads and content on the company's partner sites. Viewpoint claims 120 million users have installed its player.

CEO Patrick Vogt announced the behavioral tech in the wake of a downbeat quarter for Viewpoint and its ad systems unit in particular, which includes Unicast. Viewpoint reported a net loss of $1.5 million on total revenue of $6 million.

Execs blamed the poor earnings on several factors, including weakness in the company's sales and marketing organization and publisher integration problems with its new Fuse ad management platform.

Capitalizing on advertiser demand for user behavior data could bring a gush of revenue. However, it's a risky strategy given Internet users' privacy concerns and an unsettled legislative environment around desktop software that gathers user clickstream data. The company will likely encounter a significant backlash unless it loudly and explicitly warns users of its new tracking practices -- and maybe even if it does.

In an interview after the earnings announcement, Vogt insisted Viewpoint would comply with all laws and maintain a high standard of privacy.

"We're going to be conservative," he said. "We can't afford not to do the right thing for the users. and the enterprises."

He declined to elaborate on the offering, but said it will be introduced by the second quarter of 2006. 
The adware move is only one part of what appears to be a general strategy of diversification at Viewpoint. Vogt also said the company will expand its creative services, historically focused on rich media production, into more of a full service offering.

"No longer will customers have to work through multiple companies for creative, media buying. and ad serving," he said. "Viewpoint will do it all."

That strategy will put the company into direct competition with ad agencies, whom Vogt said Viewpoint has relied on too much to convey the value of its products to advertisers. The company will also lower silos between its divisions, a move it hopes will increase business from existing customers, and create a consulting practice, which it says will bring in new ones.

Corrected & Retracted: An earlier version of this story indicated specific Viewpoint partners are aware and approve of the future behavioral marketing product. ClickZ regrets the error.

Further, AOL automatically REInstalls Viewpoint upon startup of their software, if you have uninstalled it. The only way to prevent this is a pretty closely guarded secret:

http://edeldoug.blogs.com/thoughts_rants_raves_and_/2006/03/aols_forced_ins.html
by Doug Edelman
AOL's Forced Installation of Viewpoint Spyware CAN Be Prevented
March 06, 2006 08:49 AM EST

Computing.net has reported: "Both AOL's internet software and the AOL Instant Messenger program (AIM) are force installing unwanted software called Viewpoint Media Player on people's computers." www.computing.net/security/wwwboard/forum/9665.html

Many Antispyware programs can detect and remove Viewpoint, however AOL reinstalls it EVERY TIME you open AOL if it's found missing!

AOL has incorporated Viewpoint into it's AIM and Superbuddy features, and considers it integral to AOL "functioning properly". Therefore, even if your antispyware is able to detect and remove all vestages of Viewpoint, AOL will reinstall it the very next time you log on!

According to Paretologic, makers of Xoftspy antispyware software, Viewpoint is not only spyware, but it can slow your system down due to it's hogging of processor cycles and memory.

http://labs.paretologic.com/spyware.aspx?remove=Viewpoint Toolbar
"Viewpoint tracks user information, installs without notice, uses immense system resources."

AOL DOES have a way to prevent this, though... but they are SURE keeping it a secret. In fact, the process CAN'T be found unless you know about it! Hence the reason for this article! EVERY AOL user should know about this.

Open AOL and go to "help" on the toolbar. Select "About AOL". Next is the SECRET STEP. You must then press "CTRL+D" to access a "secret" panel to disable all of the desktop and IM fancy features that are associated with viewpoint. This is the only way to prevent AOL from re-installing Viewpoint at AOL startup.

Most users will find their system performance improves once they have removed viewpoint.

Related Reading:
http://www.spywaredaily.com/2005/03/spyware.html What is spyware?

Copyright © 2005 by Doug Edelman


----------

