bluekey23
June 29th, 2004, 08:19 PM
Hello,
I have either a worm or some kind of crapware that keeps installing.
Hopefully, someone can help. I have spent the last several days trying to rid my system of this crapware.
Brief background of problem: signed up with new ISP and grabbed their accelerator(DSLBuster put out by slipstream). RIght away I saw a lot of strange, new things in my ZA logs: hundreds of access attempts from the loopback address(127.0.0.1). Things like rap-listen, hello, Lipsinc 1, and on and on... All try to get access from ports in the range 1000-2000. These had never appeared before. So, I ran Spybot and found many red-highlighted entries. All were from Broadcastpc.tv and AdRoarPlugin. I removed the accelerator immediately(had to use safe mode because add/remove programs wouldn't remove it). Then cleaned out all the registry entries I could find associated with this crapware. I thought that should take care of the problem. It didn't. I don't see the Broadcaspc.tv stuff anymore, but AdRoarPlugin keeps activating. Adaware doesn't detect this, but Spybot does. Spybot DOES get rid of it, but as soon as I get online for a few minutes it keeps coming back. I tried at the ZA forum and one of the resident gurus helped me understand the problem, but offered no clue as to how to get rid of it. He told me though, that when you see all those access attempts from the loopback address, it's a good sign the problem is a persistent webbug or malware of some kind. I can't find the clsid for this because spybot now only brings up this:
AdRoarPlugin : Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-2516663517-769204576-1617704533-1003\Software\VB and VBA Program Settings
By trial and error I've discovered that this always gets reintroduced into the registry at startup. Spybot can get rid of it. It must come from somewhere. Can any kind soul offer me some way to get to the root of this problem so that I can get it off my system for good?
Thanks!
p.s. Javacool, if you happen to see this post, this is something that definitely needs to be introduced into your database!
I have either a worm or some kind of crapware that keeps installing.
Hopefully, someone can help. I have spent the last several days trying to rid my system of this crapware.
Brief background of problem: signed up with new ISP and grabbed their accelerator(DSLBuster put out by slipstream). RIght away I saw a lot of strange, new things in my ZA logs: hundreds of access attempts from the loopback address(127.0.0.1). Things like rap-listen, hello, Lipsinc 1, and on and on... All try to get access from ports in the range 1000-2000. These had never appeared before. So, I ran Spybot and found many red-highlighted entries. All were from Broadcastpc.tv and AdRoarPlugin. I removed the accelerator immediately(had to use safe mode because add/remove programs wouldn't remove it). Then cleaned out all the registry entries I could find associated with this crapware. I thought that should take care of the problem. It didn't. I don't see the Broadcaspc.tv stuff anymore, but AdRoarPlugin keeps activating. Adaware doesn't detect this, but Spybot does. Spybot DOES get rid of it, but as soon as I get online for a few minutes it keeps coming back. I tried at the ZA forum and one of the resident gurus helped me understand the problem, but offered no clue as to how to get rid of it. He told me though, that when you see all those access attempts from the loopback address, it's a good sign the problem is a persistent webbug or malware of some kind. I can't find the clsid for this because spybot now only brings up this:
AdRoarPlugin : Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-2516663517-769204576-1617704533-1003\Software\VB and VBA Program Settings
By trial and error I've discovered that this always gets reintroduced into the registry at startup. Spybot can get rid of it. It must come from somewhere. Can any kind soul offer me some way to get to the root of this problem so that I can get it off my system for good?
Thanks!
p.s. Javacool, if you happen to see this post, this is something that definitely needs to be introduced into your database!