I was beingre-directed to porn sites -- pretty bad because my young son uses this machine. Disgusting links in Google. I ran Sypbot and it picked up and destroyed a few things. Then Adaware found more things. It removed them but it hangs when it tries to delete Windupdates. I have spent the whole afternoon and early evening trying to get things clean, including downloading spyware killers -- they all hang.

If you can help, I would be eternally grateful

Try running your clean-up software after booting into Safe Mode

If you are unsure how:
restart your computer
press F8 before the windows splash screen appears
select "boot to safe mode"


This will allow you to run the scans with minimal services/programs running to interfere.

Check this folder as well: Start | Programs | Startup
If it's not needed, delete it.

Do you know much about the registry? If so, let us know and we can guide you through deleting stuff from the Run key.

Good luck.

I know very little about the Registry, but I know how to get a HijackThis log.

I'm on Windows 98 SE. There is no Start Up in the Programs list. The last time I tried to boot in safe mode, the mouse didn't work. But I'll try it again now.

Thanks a million for such a rapid response.

Gab

Glad to help.

Keep us posted as to the results :)

http://forums.spywareinfo.com/index.php?showtopic=227

Gab

Wilders no longer does hijack logs. Try the link for those that do.

http://a-sap.org/

I'll move this thread to Privacy Problems.

{QUOTE-> I know very little about the Registry, but I know how to get a HijackThis log.

I'm on Windows 98 SE. There is no Start Up in the Programs list. The last time I tried to boot in safe mode, the mouse didn't work. But I'll try it again now.

Thanks a million for such a rapid response.

Gab <-QUOTE}


Since you are using Win98 do this:

Start | Programs | Accessories | System Tools | System Information

Once it opens up go to Tools | System Configuration Utility

Click the "Startup" Tab
This lists a lot of programs that start up for your system. Check/unckeck the ones you want/don't want and click ok. You'll then have to reboot, but it's a start.

I have done that. NOthing there about windupdate. I have unchecked loadqm (on a forum saw that ou could do this).

I managed to run Spy Doctor in safe mode. It removed lots of things, but windupdates still seems to be there. Oh blimey!

Very appreciative of the comments and attempts to help.

Gab

Hi Gab, and welcome.

I do not usually point people to other people's log threads, but this thread (http://www.lavasoftsupport.com/index.php?showtopic=57391) at the Lavasoft forum (Ad-Aware SE) is fairly recent and the information given by the staff there might be helpful. It was mentioned by Mannen, one of the LavaXperts there, to look in the Add/Remove Program for a "Windows ControlAd" and if present, uninstall it, then do another full scan with Ad-Aware. In that member's case, they were successful in removing 'windupdate'.

You may want to post an Ad-Aware scan log at Lavasoft forum for further analysis and cleanup. Be sure you have the most recent definitions (at the time of typing this post, the last update should show SE1R26 25.01.2005 ), and that you've read their posting policy for posting logs and scans: Before Posting A Logfile (http://www.lavasoftsupport.com/index.php?showtopic=48135).

Please let us know how it turns out.

Regards,

snap

Check to see if it is in your registry.

Be very careful doing this

Start | Run --> Type "regedit"

Expand HKEY_LOCAL_MACHINE
Expand Software
Expand Microsoft
Expand Windows
Expand CurrentVersion
Click on Run

If you see the windupdate listed...click it and delete it

There's nothing at all in Regedit when I get to Run as you instructed, except empty folders.

As you suggest, I'll go on to the Lavasoft site, but tomorrow. To tell you the truth, I've been at this since 2 pm our time (in the UK, where it is no 10.50 pm) and I'm stressed out from it. Once again, I really appreciate the help I'm getting. I'll keep you posted.

On thing you may be interested in is that I use MSN to talk to a friend in the USA. That friend today received an email purporting to be a friend of mine, with all kinds of details about me which could only have been got by spying on my MSN conversations. I know this for sure, because there are a couple of personal details which I've only ever mentioned on MSN (such as a new coat I got only yesterday, and the only person I told about it was my friend on MSN when we were chatting yesterday -- other little things too which could only have come from my MSN conversation with her). Today she received that email from a hotmail account, asking her for her bank details because the person claimed to want to send her money to buy airline tickets so I could fly out to see her, as a gift to me, but that it had to be kept secret. I was not supposed to know so that it would be a surprise. I can send you the email if you like.

All this is very worrying, and I'm absolutely shattered from it.

Once again, many, many thanks.

Gab

Check in "regedit" under HKEY_CURRENT_USER and expand the same directories listed above.

Good luck with Ad-Aware

I googled it and found manual removal instructions. There is a lot of stuff to delete, if you aren't comfortable editing the registry you might need to find a removal tool. I don't vouch for the following software "Scanspyware." I don't have any experience with it either way, I am just providing the link for the free removal instructions.

Manual Detection & Removal
of WindUpdates

http://www.scanspyware.net/info/WindUpdates.htm

It is recommended to take a backup of Registry before following manual instructions. The best solution for taking backup is creating a System Restore Point before following the instructions below. Please note that ScanSpyware uses certain other rules for detection and removal of spyware from your PC, which results in 100% accuracy in removal process. Only use the below given information for spyware removal if you are sure about what you are doing.


Delete the following directories:

WindUpdates
Windows AdControl
Windows ControlAd
Admilli Service
Admanager Controller


Delete the following files:

WinAdCtl.exe
WinCtlAd.exe
WinUpdt.exe
WinKA.exe
comm.dll
AdmilliComm.dll
AdmilliKeep.exe
AdmilliServ.exe
Info.txt
AdManCtl.exe
AdManKeep.exe
WinAdCtlX.dll
Bridgex.dll
Bridgex.inf
WinAdCtlX.dll
Bridgex.dll
ide21201.vxd
cdt_bbi8016.exe


Delete the following Cookies:
WindUpdates does not create any cookies


Delete the following registry keys:

BridgeX.Installer
BridgeX.Installer
{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
WindUpdates
Admilli Service
Windows AdControl
Windows ControlAd
Wind Updates
Admilli Service
Windows AdControl
Windows ControlAd
%windir%/Downloaded Program Files/BridgeX.dll
%windir%/Downloaded Program Files/WinAdCtlX.dll


Delete the following registry values:

Admilli Service
Windows AdControl
Windows ControlAd
Admanager Controller
WindUpdates
%windir%\Downloaded Program Files\BridgeX.dll
%windir%\Downloaded Program Files\WinAdCtlX.dll

--------------------------------------------------------------


Gab, I have found Ad-aware as the name implies be useful for ADWARE, but not much more. If you want to get rid of tracking cookies it is okay, but there are better products to handle even that problem. It has become somewhat obsolete in my opinion, especially if you patch Windows and switch browsers. What you have is a lot nastier than anything that Adaware is designed to handle.

SpyBot Search and Destroy is freeware as is Hijackthis, and both are very good. Giant Anti-spyware was bought by Microsoft and is being offered as freeware (http://www.snapfiles.com/get/msantispy.html). Pest Patrol used to offer a free scanner, you had to buy it to get the removal features enabled. I think it is strictly commercial now. It is still my preferred spyware scanner although I have several. No false positives, and it finds stuff that nothing else does. They used to publish great manual removal instructions. If you consider buying one you should look into it.

When you get a pest like this it usually means you need to patch your OS. Once you get it cleaned go to windowsupdate.microsoft.com and download the critical patches or service packs if you haven't. Also, if you are using Internet Explorer, consider switching to Mozilla or Firefox.

{QUOTE-> I don't vouch for the following software "Scanspyware." I don't have any experience with it either way, I am just providing the link for the free removal instructions.

<-QUOTE}

Just to make it known here, ScanSpyware is on the rogue list,

http://www.spywarewarrior.com/rogue_anti-spyware.htm



snowbound

{QUOTE-> Just to make it known here, ScanSpyware is on the rogue list,

http://www.spywarewarrior.com/rogue_anti-spyware.htm <-QUOTE}

Snowbound,

I agree. I am not sure I trust this program, that is why I added the disclaimer. However, I would be willing to give their removal instructions a try (backing up the registry first). It would be worth searching for the processes and registry entries, if they are there it validates the instructions.

My sister got infected with coolwebsearch and emailed me for help. It was a real mess, multiple processes, dozens of registry entries, if you don't find them all they are recreated. I finally found some instructions using google and identified the scope of the problem. (Now they have a removal tool). Without a map you simply cannot remove a problem like this.



Gab,

I would add the following about backing up the registry: do make a system restore point as they recommended, but back it up manually as well.

In addition a good programme that deserves mentioning is IM2. If one uses IM2 one can have a relatively good sense of security as conversations between different IM2 users are encrypted. IM2 is a multi-platform instant messaging client available here (http://www.im2.com/).

{QUOTE-> Snowbound,

I agree. I am not sure I trust this program, that is why I added the disclaimer. However, I would be willing to give their removal instructions a try (backing up the registry first). It would be worth searching for the processes and registry entries, if they are there it validates the instructions.


<-QUOTE}

Yes, of course. I just wanted to alert everyone here in case someone was thinking of actually downloading this program.



snowbound

I am still infected. Still doing my nut.

1. Under HKEY_CURRENT_USER expansion up to Run, no sign of Windupdates

2. Giant AntiSpyware will not run under Windows 98; requires 2000 and above.

3. Adaware picks up Windupdates but hangs when it tries to delete it.

4. Adaware in safe mode does not pick it up.

5. Neither Spybot nor Spyware Doctor picks it up, either in normal or safe mode.

6. When I have used IE6 to go to my web mailbox, I then can't get to this site. I get a file download warning. I click Cancel and I'm returned to the Desktop.

7. I am not very confident about doing a manual deletion of Registry entries. I don't know what I am doing. I will try it if you think it's OK, but given the comments above, is it safe?

8. I will investigate encrypted messaging, but I want to concetrate on getting rid of Windupdates first.

9. I am very sorry to be such a pain. I am not computer illiterate, but I am in uncharted territory. I am -- need I repeat it? -- verygrateful to you.

Gab

One final thing. I have now tried the instructions in the Lavasoft thread, as suggested. I found an entry named AdStatus. I removed it. After the usual Are You Sure? thing (in this case telling you that if you do remove it, you may not be able to run some freeware), you get a message asking if you also want to keep certain elements listed. You clock No and are immediately taken to windupdates.com. Clever people these swines!

After removal of AdStatus, Adaware does indeed run and doesn't find any windupdate entries. But Spy Doctor now hangs as it reaches the second entry in its database (AdGoblin). Somethinng must still be there, since Spy Doctor runs OK in safe mode.

This is getting to be a minefield. BUt I am learning al ot in my despair.

Gab

Hi, good to hear that you are learing, we can all learn new things every day :)

Have you tried the Host file restore function in Adaware?

Also if no one has suggested it, switch browsers and get Mozilla firefox, it's alot safer than IE.

Can't find Host File Restore function in Adaware.

I got a "private message from ...". Didn't dare open it! Is it normal?

I am still getting offers to download files when I come on to this site.

And still infected. I am considering giving up and installing Windows 2000 instead of 98. Then getting rid of IE.

Gab

Yes private messages are normal.

have you tried HijackThis?

I have copied and pasted all the exe and dll files into Search. Nothing found

Gab

I have tried Hijack This.

How do I get back to the private message I didn't read?

Got the private message now.

Still desperate. Cups of tea no longer helping!

Gab

{QUOTE-> After the usual Are You Sure? thing (in this case telling you that if you do remove it, you may not be able to run some freeware), you get a message asking if you also want to keep certain elements listed. You clock No and are immediately taken to windupdates.com. Clever people these swines! <-QUOTE}



Here is how I would approach this problem. Some of these steps might be done already and you can ignore them, but order of removal matters. Deleting registry keys while a process is still running is pointless.

1. Backup registry / create restore point.

2. Download a registry tool such as Regseeker. Don't use it yet. Just get it and install it. (http://www.snapfiles.com/get/regseeker.html)

3. Use a Firewall, preferably with application control. If you don't use one download the free ZoneAlarm version. Pests like this love to phone home when you try to uninstall them so they can reload. When you are done, a firewall such as ZA will alert you if you haven't cleaned everything because it will tell you if any of those listed processes are trying to communicate.

4. Once you have downloaded the necessary tools, disconnect from the Internet. Don't attempt removal with a live connection.

5. Go to Control Panel, Internet Options, Security, Custom (in XP, could be different if other windows) and make sure that any software installation requires -- at minimum -- for you to be prompted. Disable any unsigned certificates. If you aren't sure, select prompt, you can relax these settings later. Always require a prompt for software installation if unsigned. The point here is to make it tight, but not annoying.

6. Reboot into safe mode [F8 generally] and search for and delete the .vxd file (virtual device driver), exe's, dll's, and then the other stuff on the list here: http://www.wilderssecurity.com/showpost.php?p=360792&postcount=13.

7. Now return to Regseeker. Check the box "backup before deletion." Don't use the "clean the registry" function that is not specific. Just type in or paste in the keywords and search. Delete matches on the list and repeat searches until until there are no entries found.

8. Still in Regseeker, check the "Startup Entries" and delete anything suspicious, refer to your list, or google if unsure.

9. Reboot, look for any suspicious running processes using task manager or equivalent.

10. Repeat your search for files, startup entries and registry keys.


That should do it. Keep us informed of how it works, we can learn from it.

{QUOTE-> I have copied and pasted all the exe and dll files into Search. Nothing found

Gab <-QUOTE}


Do you have a folder: "c:\program files\winupdates\"


I am seeing some sites that suggest that you have to opt-in in order to install this program, and that removal might be as simple as deleting that folder.

No Winupdates, only Program files\Windows update

I have to say Gab, your problem sure has brought out the thinking caps of wilders. We'll keep trying :)

Hi Gab, if you want you can post a hijackthis log here:

http://spyblocker-software.com/IPB/index.php?showforum=20

read the sticky, follow the steps and post your log, then I will clean it this evening.

Opt.

Thanks. I am getting to the point of a complete re-install of Windows. But I am so grateful for the help you're trying to give me. I installed Zone ALarm, and now the internal microphone is not working. Everything I do causes another problem. I know about firewalls and MSN, but this is the mike itself not working (not muted). When I plug in an external mike I get very poor sound, much, much worse than usual. One other thing:

I found in my Start menu a thing called Web Search which just appeared by itself. I clicked on it, since Zone Alarm is active. It tokk me to a list of casinos. I have deleted it.

Gab

I'll do that now. Thanks

Gab

I have posted the log as a new topic under Hijack This and Start Up Lists. Hope that's right.

Gab

If you need my email address, it's:

Removed email address to prevent harvesting ` Blackspear

yes, your question is answered :)


don't think it is a good Idea to post your email, remove it as soon as possible though just to avoid spammers and stuff.

cheers.

Sorry! I'm learning not to trust anything, but it's taking a while.

I have followed Infinity's detailed instructions after he or she cleaned my Registry. At the moment, IE6 is working, in the sense that I am no longer being redirected to porn and gambling sites. I'm too much of a pessimists to believe that it's all nice and fixed, and I can't give it a good test till tomorroiw since I have to be away fo rmost of today. In the meantime, can I repeat how grateful I am to you all? This sort of help proivided with no thought of persoanl reward restores one's faith in human nature.

Gab

Glad to hear these folks have restored some of your faith in human nature ;-) - we do have some good folks hanging about Wilders, if I do say so myself (and I do). Should any more problems arise be sure to update us on the condition. Even if things are clean, it might be wise to check out more preventative measures.

you are very welcome Gab, drop me a line when you think something is wrong sometimes malware changes names and paths so that is one of the reasons people get reinfected, they wait to long for cleaning it and stuff.

have a nice day :)

Well, it all seems to be working fine. A bit slower than usual but I think that's Zone Alarm which I didn't have before.

Is there anything I can do for you guys in return for your freely given time and expertise? I'd be only too glad. I can translate in and out of French (I used to be an interpreter at the British Central Office of Information (Foreign Office), and I know quite a lot about the video and computer games industry which is my main area of research these days.

Gab

{QUOTE-> Well, it all seems to be working fine. <-QUOTE}Now that your system is clean, you may want to take a look HERE (http://www.wilderssecurity.com/showthread.php?t=62972). As well there are discussions HERE (http://www.wilderssecurity.com/showthread.php?t=45284&page=1&pp=25) and even more HERE (http://www.wilderssecurity.com/showthread.php?t=43117).

Hope this helps...

Cheers ;D