I'm baffled -please help

Discussion in 'privacy problems' started by bluekey23, Jun 29, 2004.

Thread Status:
Not open for further replies.
  1. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Hello,
    I have either a worm or some kind of crapware that keeps installing.
    Hopefully, someone can help. I have spent the last several days trying to rid my system of this crapware.
    Brief background of problem: signed up with new ISP and grabbed their accelerator(DSLBuster put out by slipstream). RIght away I saw a lot of strange, new things in my ZA logs: hundreds of access attempts from the loopback address(127.0.0.1). Things like rap-listen, hello, Lipsinc 1, and on and on... All try to get access from ports in the range 1000-2000. These had never appeared before. So, I ran Spybot and found many red-highlighted entries. All were from Broadcastpc.tv and AdRoarPlugin. I removed the accelerator immediately(had to use safe mode because add/remove programs wouldn't remove it). Then cleaned out all the registry entries I could find associated with this crapware. I thought that should take care of the problem. It didn't. I don't see the Broadcaspc.tv stuff anymore, but AdRoarPlugin keeps activating. Adaware doesn't detect this, but Spybot does. Spybot DOES get rid of it, but as soon as I get online for a few minutes it keeps coming back. I tried at the ZA forum and one of the resident gurus helped me understand the problem, but offered no clue as to how to get rid of it. He told me though, that when you see all those access attempts from the loopback address, it's a good sign the problem is a persistent webbug or malware of some kind. I can't find the clsid for this because spybot now only brings up this:
    AdRoarPlugin : Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-2516663517-769204576-1617704533-1003\Software\VB and VBA Program Settings
    By trial and error I've discovered that this always gets reintroduced into the registry at startup. Spybot can get rid of it. It must come from somewhere. Can any kind soul offer me some way to get to the root of this problem so that I can get it off my system for good?
    Thanks!
    p.s. Javacool, if you happen to see this post, this is something that definitely needs to be introduced into your database!
     
  2. dog

    dog Guest

    Hi Bluekey, ;)

    Those adroar entries are f/p's from Spybot's Beta update ... I'll find you the link at NI. You need to restore them using Spybot's recovery.

    Here's the Wilders' thread that links to the NI link - https://www.wilderssecurity.com/showthread.php?t=37792 ... but NI seems to be down ATM ... but read the thread when it come's back up.

    dog - *puppy*
     
  3. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Dog,
    Thanks for the link. I was able to get through and read it. I've deleted that registry entry many times. No problems other than it keeps coming back. Even if it's a false positive, it still doesn't explain why I'm getting flooded with access attempts from the loopback address. The ZA expert who helped me at ZA forum said he felt these were some kind of crapware or webbug. Yes, they are all being blocked by ZA, but that still doesn't explain where they are coming from. Do you know how to trace the origin of this? That persistent registry entry is being created by something -what?
     
  4. dog

    dog Guest

    Hi Blue Key, ;)

    Did you read post 9 Mikey & 11 KMA ... http://forums.net-integration.net/index.php?showtopic=18058

    More info from Tony Klein - reg entries and the like - http://forums.net-integration.net/index.php?showtopic=18058

    *edit* opps just noticed I dupe the first link in the second - the link should be - http://forums.net-integration.net/index.php?showtopic=18062 My apologies.

    One of your legit apps. Post mention above.

    As for the logs (access attempts from the loopback address) ... Does your HJT log look normal ... you could also try the Bazooka Spyware Scan ... It doesn't remove, But does identify spyware ... you could as try the trial of Spy Sweeper from Webroot.

    Other than that I'd ask JVMorris or Crazy M specifically about the FW logs.(firewall forum)

    dog - *puppy*
     
    Last edited by a moderator: Jun 30, 2004
  5. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Hi Dog,
    Thanks for the links and suggestions. Read through the posts on the forum for spybot. I will go ahead and assume that AdRoarPlugin is legit, but there are still some unanswered questions. Maybe I'll ask on the FW forum.
    By the way, I already have spysweeper and my HJT scan shows no changes.
     
Thread Status:
Not open for further replies.